Stack-based buffer overflow in Eclipse OpenJ9

Published: 2025-07-03

Risk	Medium
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2025-4447
CWE-ID	CWE-121
Exploitation vector	Local
Public exploit	N/A
Vulnerable software	OpenJ9 Server applications / Virtualization software
Vendor	Eclipse

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Stack-based buffer overflow

EUVDB-ID: #VU112132

Risk: Medium

CVSSv4.0: 3.6 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:H/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-4447

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary code on the target system.

The vulnerability occurs when modifying a file on disk that is read when the JVM starts. A local user can trigger stack-based buffer overflow and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

OpenJ9: 0.0 - 0.49.0

CPE2.3

External links

https://github.com/eclipse-openj9/openj9/pull/21762
https://gitlab.eclipse.org/security/cve-assignement/-/issues/61

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.