CVE-2026-6860
TLS Server Name Indication Spoofing in Eclipse Jetty
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: Eclipse Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eclipse | vert.x | 5.0.12 |
| eclipse | vert.x | From 4.3.4 (inc) to 4.3.8 (inc) |
| eclipse | vert.x | From 4.4.0 (inc) to 4.4.9 (inc) |
| eclipse | vert.x | From 4.5.0 (inc) to 4.5.25 (inc) |
| eclipse | vert.x | From 5.0.0 (inc) to 5.0.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6860 is a vulnerability in Eclipse Vert.x related to how the server handles TLS connections with Server Name Indication (SNI). When a client performs a TLS handshake and presents a server name that matches a server wildcard certificate (e.g., *.example.com), the server caches SSL contexts for these SNI names without any limit on cache size.
Because the cache is unbounded, an attacker can repeatedly send TLS handshakes with many distinct SNI names that match the wildcard, causing the cache to grow indefinitely. This can lead to resource exhaustion on the server.
How can this vulnerability impact me? :
This vulnerability can lead to a Denial of Service (DoS) condition on the affected server. By exploiting the unbounded SNI cache growth, an attacker can exhaust server memory and resources, potentially causing the server to become unresponsive or crash.
- Unauthenticated clients can trigger the issue by sending many unique SNI names matching the wildcard certificate.
- The server's memory consumption grows proportionally with the number of distinct SNI names, leading to resource exhaustion.
- This can disrupt service availability for legitimate users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unbounded growth of the server-side Server Name Indication (SNI) SSL context cache when handling TLS connections with wildcard or broad hostname mappings. Detection involves monitoring for unusual or excessive TLS handshake attempts with unique SNI values that match wildcard certificates.
You can detect potential exploitation by observing repeated TLS handshakes presenting different SNI names that match the server's wildcard certificate pattern, which causes the cache to grow.
Suggested commands include using network monitoring or packet capture tools to filter TLS Client Hello messages and extract SNI values. For example, using tshark:
- tshark -i <interface> -Y "ssl.handshake.extensions_server_name" -T fields -e ssl.handshake.extensions_server_name
This command lists the SNI values seen in TLS handshakes on the specified interface. Monitoring for a large number of unique SNI values matching your wildcard domain (e.g., *.example.com) may indicate exploitation attempts.
Additionally, monitoring server logs or metrics for unusually high memory usage or cache size growth related to SSL contexts can help detect the issue.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Disable server-side SNI handling if it is not required by your application.
- Avoid using wildcard or high-cardinality hostname mappings in your TLS certificates or server configuration.
- Implement connection or rate limiting in front of the affected service to reduce the impact of repeated connections with unique SNI values.
Additionally, upgrading to a fixed version of Eclipse Vert.x (5.0.12 or later) that includes a bounded cache with an LRU eviction policy is recommended to permanently resolve the issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-6860 on compliance with common standards and regulations such as GDPR or HIPAA.