DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-6860: CVE-2026-6860: Unbounded SNI Cache Growth in Eclipse Vert.x

#security #cve #cybersecurity

CVE-2026-6860: Unbounded SNI Cache Growth in Eclipse Vert.x

Vulnerability ID: CVE-2026-6860
CVSS Score: 5.3
Published: 2026-05-09

Eclipse Vert.x suffers from an uncontrolled resource consumption vulnerability within its Server Name Indication (SNI) processing logic. When server-side SNI is enabled alongside a wildcard TLS certificate, unauthenticated remote attackers can exhaust server memory by initiating handshakes with continuous unique hostname values, ultimately resulting in a Denial of Service (DoS).

TL;DR

A flaw in the SNI caching mechanism of Eclipse Vert.x allows remote attackers to trigger out-of-memory (OOM) conditions. By sending numerous TLS ClientHello messages with uniquely generated hostnames matching a wildcard certificate, an attacker bypasses cache hits and forces the unbounded allocation of SslContext objects in JVM memory.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-400
  • Attack Vector: Network
  • CVSS v4.0 Score: 6.9 (Medium)
  • CVSS v3.1 Score: 5.3 (Medium)
  • Impact: Denial of Service (OOM)
  • Exploit Status: Proof of Concept
  • EPSS Percentile: 6.48%
  • KEV Status: Not Listed

Affected Systems

  • Eclipse Vert.x Applications
  • Java Virtual Machine (JVM) instances running Vert.x TLS
  • Microservices utilizing io.vertx:vertx-core for SNI termination
  • io.vertx:vertx-core: >= 4.3.4, <= 4.3.8 (Fixed in: 4.3.9)
  • io.vertx:vertx-core: >= 4.4.0, <= 4.4.9 (Fixed in: 4.4.10)
  • io.vertx:vertx-core: >= 4.5.0, <= 4.5.26 (Fixed in: 4.5.27)
  • io.vertx:vertx-core: >= 5.0.0, <= 5.0.11 (Fixed in: 5.0.12)

Mitigation Strategies

  • Upgrade the io.vertx:vertx-core library to a patched version.
  • Disable server-side SNI via configuration if not strictly required.
  • Offload TLS termination to a network edge component (e.g., Nginx, HAProxy, AWS ALB).
  • Avoid the use of wildcard certificates where strict domain matching is possible.
  • Implement rate limiting for new TLS handshake connections per source IP address.

Remediation Steps:

  1. Identify all projects and microservices depending on io.vertx:vertx-core.
  2. Update dependency management files (pom.xml for Maven, build.gradle for Gradle) to specify the appropriate patched version.
  3. Recompile and execute integration test suites to verify compatibility with the new minor release.
  4. Deploy the updated application artifact to the staging environment and monitor heap usage.
  5. Promote the patched application to the production environment.

References

Read the full report for CVE-2026-6860 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)