Sign In

CVE-2026-6860

ADVISORY - github

Summary

Potential unbounded server-side SNI SslContext cache growth in Vert.x TLS handling, with = resource-exhaustion / DoS impact. On affected versions, matching server-side SNI names are cached via computeIfAbsent(serverName, ...) in a serverName-keyed SslContext cache.

The implementation differs slightly by branch, but the same sink appears to be present in released versions 4.3.4 through 5.0.11:

  • 4.3.x: SSLHelper
  • 4.4.x / 4.5.x: SslChannelProvider
  • 5.0.x and current master: SslContextProvider

When server-side SNI is enabled and wildcard or otherwise broad hostname mappings are used, an unauthenticated client can send many distinct matching SNI names and cause the server to retain increasing numbers of SslContext entries over time, leading to increasing memory consumption and possible DoS conditions.

Steps to reproduce

  1. Configure a Vert.x server with setSsl(true) and setSni(true).
  2. Use a keystore or mapping where many distinct SNI names match a wildcard or similarly broad rule.
  3. Send repeated connections with distinct matching SNI values.
  4. Observe that the SNI cache size grows with the number of unique matching names.

What are the affected versions?

Affected released versions confirmed on origin:

  • 4.3.4 through 4.3.8
  • 4.4.0 through 4.4.9
  • 4.5.0 through 4.5.26
  • 5.0.0 through 5.0.11

Not affected by the same sink:

  • 4.0.x through 4.2.x
  • 4.3.0 through 4.3.3
EPSS Score: 0.00238 (0.145)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-295

Improper Certificate Validation

CWE-770

Allocation of Resources Without Limits or Throttling

ADVISORY - github

CWE-295

Improper Certificate Validation

CWE-770

Allocation of Resources Without Limits or Throttling

Impacted images

Advisories

NIST

CREATED

UPDATED

ADVISORY IDCVE-2026-6860
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
COMMON WEAKNESS ENUMERATION (CWE)
CWE-295CWE-770

CVSS SCORE

6.9medium

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-3g76-f9xq-8vp6
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-295CWE-770

CVSS SCORE

6.9medium

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-2q6f-ghc5-4j7v

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-3q47-gq3m-m88h

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-7485-4mpv-fcgg

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-8mjp-r4p9-72jx

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-8w68-45vv-x6vr

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-9v6q-w927-573f

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-c8gj-5gq2-vgmp

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-fhfc-85rp-wr9g

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-jqjh-9p64-xvr9

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-pq85-fx4g-fvvc

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-q5fh-x23j-5vc8

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-rp8v-hq34-ccjr

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-v9q6-g4m6-m7g5

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

UPDATED

ADVISORY ID

MINI-xr87-v42g-4m6f

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY