Eclipse Vert.x vulnerable to a memory leak in TCP servers

GHSA-9ph3-v2vh-3qx7 · CVE-2024-1300

Published Apr 2, 2024 · Modified Feb 28, 2026

Description

A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-1300
WEB https://github.com/eclipse-vertx/vert.x/pull/5101
WEB https://github.com/eclipse-vertx/vert.x/pull/5100
WEB https://github.com/eclipse-vertx/vert.x/pull/5099
WEB https://github.com/eclipse-vertx/vert.x/commit/7ad34ea9d78f85e26b231ee3ec8d492d10046479
WEB https://github.com/eclipse-vertx/vert.x/commit/3d9235cadf44df39a70dc75bddfe0b8fcbd6a683
WEB https://vertx.io/docs/vertx-core/java/#_server_name_indication_sni.
PACKAGE https://github.com/eclipse-vertx/vert.x
WEB https://bugzilla.redhat.com/show_bug.cgi?id=2263139
WEB https://access.redhat.com/security/cve/CVE-2024-1300
WEB https://access.redhat.com/errata/RHSA-2024:4884
WEB https://access.redhat.com/errata/RHSA-2024:3989
WEB https://access.redhat.com/errata/RHSA-2024:3527
WEB https://access.redhat.com/errata/RHSA-2024:2833
WEB https://access.redhat.com/errata/RHSA-2024:2088
WEB https://access.redhat.com/errata/RHSA-2024:1923
WEB https://access.redhat.com/errata/RHSA-2024:1706
WEB https://access.redhat.com/errata/RHSA-2024:1662

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes