CVE-2024-1300: Io.vertx:vertx-core: memory leak when a tcp server is configured with tls and sni support

Published Feb 7, 2024
·
Updated

A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.

Other sources

Since Vert.x 4.3.4 that leads to a memory leak when a TCP server is configured with TLS and SNI support: when such server processes an unknown SNI server name, that is a server name that would be assigned the default certificate instead of a server name mapped certificate, the SSL context will be cached in the server name map. This map should only contain server names for which the configuration provides a valid certificate. As a consequence, this can be exploited by client sending TLS client hello message with the server name extension indicating spurious server names and eventually trigger a JVM out of memory error.

This affects only TLS servers with SNI enabled https://vertx.io/docs/vertx-core/java/#servernameindicationsni.

It affects the maven artifact io.vertx:vertx-core versions 4.3.4,4.3.5,4.3.6,4.3.7,4.3.8,4.4.0,4.4.1,4.4.2,4.4.3,4.4.4,4.4.5,4.4.6,4.4.7,4.5.0,4.5.1,4.5.2

https://github.com/eclipse-vertx/vert.x/pull/5101 [Master] https://github.com/eclipse-vertx/vert.x/pull/5100 [4.x] https://github.com/eclipse-vertx/vert.x/pull/5099 [4.3]

Red Hat

Affected Software

6 affected componentsFixes available
maven/io.vertx:vertx-core>=4.5.0<4.5.3
4.5.3
maven/io.vertx:vertx-core>=4.3.4<4.4.8
4.4.8
IBM Security Verify Information Queue<=10.0.8
IBM Security Verify Information Queue<=10.0.7
IBM Security Verify Information Queue<=10.0.6
IBM Security Verify Information Queue<=10.0.5

Event History

Feb 7, 2024
Data Sourced
via Red Hat·07:18 AM
DescriptionSeverityAffected Software
Apr 2, 2024
CVE Published
via MITRE·07:33 AM
Data Sourced
via MITRE·07:33 AM
DescriptionSeverityWeakness
Data Sourced
via NVD·08:15 AM
DescriptionSeverityWeakness
Advisory Published
via GitHub·09:30 AM
Sep 10, 2025
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-1300?

CVE-2024-1300 is categorized as a moderate severity vulnerability due to its potential to cause resource exhaustion.

2

How do I fix CVE-2024-1300?

To mitigate CVE-2024-1300, update the io.vertx:vertx-core package to version 4.5.3 or 4.4.8 as recommended.

3

What type of vulnerability is CVE-2024-1300?

CVE-2024-1300 is a memory leak vulnerability affecting TCP servers configured with TLS and SNI support.

4

Which versions of io.vertx:vertx-core are affected by CVE-2024-1300?

CVE-2024-1300 affects io.vertx:vertx-core versions between 4.4.0 and 4.4.8 and 4.5.0 to 4.5.3.

5

What can happen if CVE-2024-1300 is exploited?

Exploitation of CVE-2024-1300 can lead to memory leaks, potentially resulting in performance degradation or denial of service.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203