CVE-2024-21094

Published Apr 14, 2024
·
Updated

A flaw was found in the C2 compiler in the Hotspot component of OpenJDK. C2 compilation fails with "Exceeded _node_regs array" due to an improper size validation and out-of-bounds array access, potentially resulting in a corruption of the JVM memory. Upstream OpenJDK issue: https://bugs.openjdk.org/browse/JDK-8317507

Affected Software

27 affected componentsFixes available
debian/openjdk-11
11.0.24+8-2~deb11u111.0.26+4-1~deb11u111.0.27+6-1
debian/openjdk-17
17.0.12+7-2~deb11u117.0.14+7-1~deb11u117.0.14+7-1~deb12u117.0.15+6-1~deb12u117.0.15+6-1
debian/openjdk-21
21.0.7+6-1
debian/openjdk-8
8u442-ga-2
Oracle GraalVM=20.3.13
Oracle GraalVM=21.3.9
Oracle GraalVM for JDK=17.0.10
Oracle GraalVM for JDK=21.0.2
Oracle GraalVM for JDK=22
Oracle JDK=1.8.0-update401
Oracle JDK=11.0.22
Oracle JDK=17.0.10
Oracle JDK=21.0.2
Oracle JDK=22.0.1
Oracle JRE=1.8.0-update401
Oracle JRE=11.0.22
Oracle JRE=17.0.10
Oracle JRE=21.0.2
Oracle JRE=22.0.1
NetApp Active Iq Unified Manager Vmware Vsphere
NetApp Active Iq Unified Manager Windows
NetApp Data Infrastructure Insights Acquisition Unit
NetApp Data Infrastructure Insights Storage Workload Security Agent
NetApp OnCommand Insight
NetApp OnCommand Workflow Automation
Debian Debian Linux=10.0
IBM InfoSphere Data Architect<=9.2.1

Remediation

Patch Available

https://github.com/openjdk/jdk17u/commit/5ed19267f63e0dde4f8ea41f4832237b980b3480

Patch Available

https://github.com/openjdk/jdk21u/commit/c9520790be2f90062f71bdea86a10909b1b0f11c

Patch Available

https://github.com/openjdk/jdk22u/commit/a5818972c16bd883d768ff2fb23a8aa9e0142c65

Patch Available

https://github.com/openjdk/jdk8u/commit/43cb87550865a93c559c9e8eaa59fcb071301bd3

Patch Available

https://github.com/openjdk/jdk11u/commit/c6b1d04179afe49071cd2bc4d29ec90d26124867

Event History

Apr 14, 2024
Data Sourced
via Red Hat·05:11 PM
DescriptionSeverityAffected Software
Apr 16, 2024
CVE Published
via MITRE·09:26 PM
Data Sourced
via MITRE·09:26 PM
DescriptionSeverity
Data Sourced
via NVD·10:15 PM
DescriptionSeverityWeakness
Jun 6, 2024
Data Sourced
via Launchpad·04:54 AM
Description
Nov 15, 2024
Data Sourced
via Ubuntu·05:44 AM
RemedyDescriptionSeverityAffected Software
Mar 4, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-21094?

CVE-2024-21094 is considered a high severity vulnerability due to the potential for JVM memory corruption.

2

How do I fix CVE-2024-21094?

To fix CVE-2024-21094, you should update OpenJDK to the recommended patched versions for your system.

3

Which versions of OpenJDK are affected by CVE-2024-21094?

CVE-2024-21094 affects various versions of OpenJDK including versions 8, 11, 17, and 21 up to specific builds.

4

What type of vulnerability is CVE-2024-21094?

CVE-2024-21094 is an out-of-bounds access vulnerability found in the C2 compiler of the Hotspot component of OpenJDK.

5

What products are impacted by CVE-2024-21094?

CVE-2024-21094 impacts IBM Storage Protect Backup-Archive Client as well as several OpenJDK packages on Debian.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203