Home / Advisories / CVE-2025-21502
CVE-2025-21502: HotSpot VM Arbitrary Code Execution Critical
Published: March 11, 2025 Last Updated: March 12, 2025 Advisory ID: JSEC-2025-0198 Patch: JSU-2025-0198

Vulnerability Description

A critical vulnerability has been identified in the Java HotSpot Virtual Machine that allows remote attackers to execute arbitrary code in the context of the Java process. The vulnerability exists in the JIT compiler's handling of certain bytecode sequences during optimization passes.

An attacker can exploit this vulnerability by crafting a malicious serialized Java object that, when deserialized by a vulnerable application, triggers a type confusion error in the JIT compiler. This leads to memory corruption that can be leveraged to achieve arbitrary code execution.

The vulnerability is particularly severe because it can be exploited remotely without authentication through any Java application that processes untrusted serialized data, including web applications using common frameworks such as Apache Struts, Spring Framework, and Oracle WebLogic Server.

Technical Details

The root cause is an incorrect bounds check elimination in the C2 JIT compiler when processing nested array access patterns within try-catch blocks. Under specific conditions, the compiler incorrectly determines that an array index is within bounds, leading to an out-of-bounds memory write. The attacker can control the offset and value written, enabling a reliable exploit chain.

The vulnerability has been assigned a CVSS v3.1 Base Score of 9.8 (Critical). Network-based exploitation requires no privileges or user interaction.

Affected Products

ProductVersionsPlatformStatus
Java SE Development Kit8u411, 8u412, 8u420AllVulnerable
Java SE Development Kit11.0.24, 11.0.25AllVulnerable
Java SE Development Kit17.0.12, 17.0.13AllVulnerable
Java SE Development Kit21.0.4, 21.0.5AllPartially
Java SE Runtime Environment8u411 - 8u420AllVulnerable
GraalVM Enterprise21.3.x, 22.3.xAllUnder Review
Java SE Development Kit8u421+AllPatched

Impact Analysis

Confidentiality
High
Integrity
High
Availability
High
Attack Complexity
Low

Successful exploitation of this vulnerability could allow an attacker to take complete control of the affected system. The attacker could install programs, view/change/delete data, or create new accounts with full user rights. Systems running Java applications that process untrusted input (e.g., web servers, application servers, middleware) are at highest risk.

Remediation Steps

  1. Recommended: Enable auto-patching to apply this fix automatically.
  2. Alternatively, identify all Java installations across your environment using the System Scanner overview or your organization's asset inventory.
  3. Obtain the appropriate patch from the Updates page for each affected version.
  4. For Java SE 8, upgrade to version 8u421 or later.
  5. For Java SE 11, upgrade to version 11.0.26 or later.
  6. For Java SE 17, upgrade to version 17.0.14 or later.
  7. For Java SE 21, upgrade to version 21.0.6 or later.
  8. Restart all Java-based services after applying the patch.
  9. As a temporary mitigation, the C2 JIT compiler can be disabled at the JVM level. Note: this will significantly reduce performance.
  10. Verify the patch was applied correctly by confirming the updated build number in your Java installation.
  11. Run a compliance check to confirm your environment meets the latest security baseline.

CVSS v3.1 Score

9.8
Critical Severity
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh

Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

Jan 15, 2025
Vulnerability reported to Oracle
Jan 22, 2025
Report acknowledged and confirmed
Feb 10, 2025
CVE identifier assigned
Mar 4, 2025
Patch development completed
Mar 11, 2025
Patch released publicly
Apr 11, 2025
End of grace period

Related Advisories

Resources

© 2025 Oracle Corporation. Java Security Center v4.2.1
About Compliance Privacy Policy Terms of Use