Vert.x has a DoS via unbounded server-side SNI SslContext cache growth — CVE-2026-6860
GitHub · GitHub · CVE-2026-6860
ID
CVE-2026-6860
CVE-2026-6860
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
medium
medium
CVSS
6.9
6.9
EPSS
0.00029
0.00029
Summary
Potential unbounded server-side SNI `SslContext` cache growth in Vert.x TLS handling, with possible resource-exhaustion / DoS impact. On affected versions, matching server-side SNI names are cached via `computeIfAbsent(serverName, ...)` in a serverName-keyed `SslContext` cache, and I could not find any bound, TTL, or eviction for that cache. The implementation differs slightly by branch, but the same sink appears…
Product
maven: io.vertx:vertx-core
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.