GHSA-3g76-f9xq-8vp6

Suggest an improvement
Source
https://github.com/advisories/GHSA-3g76-f9xq-8vp6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-3g76-f9xq-8vp6/GHSA-3g76-f9xq-8vp6.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3g76-f9xq-8vp6
Aliases
  • CVE-2026-6860
Downstream
Related
Published
2026-05-09T00:38:30Z
Modified
2026-05-13T15:32:00.295553Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L CVSS Calculator
Summary
Vert.x has a DoS via unbounded server-side SNI SslContext cache growth
Details

Potential unbounded server-side SNI SslContext cache growth in Vert.x TLS handling, with possible resource-exhaustion / DoS impact.

On affected versions, matching server-side SNI names are cached via computeIfAbsent(serverName, ...) in a serverName-keyed SslContext cache, and I could not find any bound, TTL, or eviction for that cache.

The implementation differs slightly by branch, but the same sink appears to be present in released versions 4.3.4 through 5.0.8: - 4.3.x: SSLHelper - 4.4.x / 4.5.x: SslChannelProvider - 5.0.x and current master: SslContextProvider

It appears that when server-side SNI is enabled, and wildcard or otherwise broad hostname mappings are used, an unauthenticated client can send many distinct matching SNI names and cause the server to retain increasing numbers of SslContext entries over time, leading to increasing memory consumption and possible DoS conditions.

A check was performed on the related TCP SNI path across affected versions, the QUIC SNI path on 5.x, and the wildcard hostname resolution helpers used during certificate selection.

Steps to reproduce

  1. Configure a Vert.x server with setSsl(true) and setSni(true).
  2. Use a keystore or mapping where many distinct SNI names match a wildcard or similarly broad rule.
  3. Send repeated connections with distinct matching SNI values.
  4. Observe that the SNI cache size grows with the number of unique matching names.

Local observations: - initial sniEntrySize() = 0 - after 20 unique matching names: 20 - after 40 unique matching names: 40 - repeating previously seen matching names did not grow the cache further - non-matching SNI names did not create new cache entries

What are the affected versions?

Affected released versions confirmed on origin: - 4.3.4 through 4.3.8 - 4.4.0 through 4.4.9 - 4.5.0 through 4.5.25 - 5.0.0 through 5.0.8

Not affected by the same sink: - 4.0.x through 4.2.x - 4.3.0 through 4.3.3

Are there any ways to mitigate this issue?

  • Disable server-side SNI if it is not needed.
  • Avoid wildcard or otherwise high-cardinality hostname mappings where feasible.
  • Apply connection or rate limiting in front of the service.
Database specific 
{
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-295",
        "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-09T00:38:30Z",
    "nvd_published_at": "2026-05-06T10:16:26Z"
}
References

Affected packages

Maven / io.vertx:vertx-core

Package

Name
io.vertx:vertx-core
View open source insights on deps.dev
Purl
pkg:maven/io.vertx/vertx-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.3.4
Last affected
4.3.8

Affected versions

4.*
4.3.4
4.3.5
4.3.6
4.3.7
4.3.8

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-3g76-f9xq-8vp6/GHSA-3g76-f9xq-8vp6.json"

Maven / io.vertx:vertx-core

Package

Name
io.vertx:vertx-core
View open source insights on deps.dev
Purl
pkg:maven/io.vertx/vertx-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.4.0
Last affected
4.4.9

Affected versions

4.*
4.4.0
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.7
4.4.8
4.4.9

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-3g76-f9xq-8vp6/GHSA-3g76-f9xq-8vp6.json"

Maven / io.vertx:vertx-core

Package

Name
io.vertx:vertx-core
View open source insights on deps.dev
Purl
pkg:maven/io.vertx/vertx-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.5.0
Last affected
4.5.25

Affected versions

4.*
4.5.0
4.5.1
4.5.2
4.5.3
4.5.4
4.5.5
4.5.6
4.5.7
4.5.8
4.5.9
4.5.10
4.5.11
4.5.12
4.5.13
4.5.14
4.5.15
4.5.16
4.5.17
4.5.18
4.5.19
4.5.20
4.5.21
4.5.22
4.5.23
4.5.24
4.5.25

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-3g76-f9xq-8vp6/GHSA-3g76-f9xq-8vp6.json"

Maven / io.vertx:vertx-core

Package

Name
io.vertx:vertx-core
View open source insights on deps.dev
Purl
pkg:maven/io.vertx/vertx-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Last affected
5.0.8

Affected versions

5.*
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.0.7
5.0.8

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-3g76-f9xq-8vp6/GHSA-3g76-f9xq-8vp6.json"