CVE-2022-3676

moderate-risk
Published 2022-10-24

In Eclipse Openj9 before version 0.35.0, interface calls can be inlined without a runtime type check. Malicious bytecode could make use of this inlining to access or modify memory via an incompatible type.

Do I need to act?

-
0.34% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Eclipse

References (6)

Patch https://github.com/eclipse-openj9/openj9/pull/16122
Patch https://github.com/eclipse/omr/pull/6773
Issue Tracking https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/389
Patch https://github.com/eclipse-openj9/openj9/pull/16122
Patch https://github.com/eclipse/omr/pull/6773
Issue Tracking https://gitlab.eclipse.org/eclipsefdn/emo-team/emo/-/issues/389
30
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal