CVE-2026-6860: Vert.x has a DoS via unbounded server-side SNI SslContext cache growth
(updated )
Potential unbounded server-side SNI SslContext cache growth in Vert.x TLS handling, with = resource-exhaustion / DoS impact. On affected versions, matching server-side SNI names are cached via computeIfAbsent(serverName, ...) in a serverName-keyed SslContext cache.
The implementation differs slightly by branch, but the same sink appears to be present in released versions 4.3.4 through 5.0.11:
4.3.x:SSLHelper4.4.x/4.5.x:SslChannelProvider5.0.xand currentmaster:SslContextProvider
When server-side SNI is enabled and wildcard or otherwise broad hostname mappings are used, an unauthenticated client can send many distinct matching SNI names and cause the server to retain increasing numbers of SslContext entries over time, leading to increasing memory consumption and possible DoS conditions.
References
- github.com/advisories/GHSA-3g76-f9xq-8vp6
- github.com/eclipse-vertx/vert.x/pull/6102
- github.com/eclipse-vertx/vert.x/security/advisories/GHSA-3g76-f9xq-8vp6
- github.com/vert-x3/wiki/wiki/4.5.27-Release-Notes
- gitlab.eclipse.org/security/vulnerability-reports/-/issues/381
- nvd.nist.gov/vuln/detail/CVE-2026-6860
- vertx.io/blog/eclipse-vert-x-4-5-27
- vertx.io/blog/eclipse-vert-x-5-0-12
Code Behaviors & Features
Detect and mitigate CVE-2026-6860 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →