Eclipse OpenJ9 <0.35.0 Inlining without type check allows memory corruption
CVE-2022-3676 Published on October 24, 2022
In Eclipse Openj9 before version 0.35.0, interface calls can be inlined without a runtime type check. Malicious bytecode could make use of this inlining to access or modify memory via an incompatible type.
Vulnerability Analysis
CVE-2022-3676 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Types
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
What is an Object Type Confusion Vulnerability?
The program allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
CVE-2022-3676 has been classified to as an Object Type Confusion vulnerability or weakness.
Products Associated with CVE-2022-3676
Want to know whenever a new CVE is published for Eclipse Openj9? stack.watch will email you.
Affected Versions
The Eclipse Foundation Eclipse OpenJ9:- Version unspecified and below 0.35.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.