{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24802", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "state": "PUBLISHED", "assignerShortName": "GovTech CSG", "dateReserved": "2026-01-27T08:18:43.268Z", "datePublished": "2026-01-27T08:38:34.944Z", "dateUpdated": "2026-01-27T17:03:30.291Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/briandilley/jsonrpc4j", "defaultStatus": "unaffected", "modules": ["src/main/java/com/googlecode/jsonrpc4j"], "product": "jsonrpc4j", "programFiles": ["NoCloseOutputStream.java"], "vendor": "briandilley", "versions": [{"lessThanOrEqual": "1.6.0", "status": "affected", "version": "0", "versionType": "git"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in briandilley jsonrpc4j (src/main/java/com/googlecode/jsonrpc4j modules).<p> This vulnerability is associated with program files <tt>NoCloseOutputStream.Java</tt>.</p><p>This issue affects jsonrpc4j: through 1.6.0.</p>"}], "value": "Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in briandilley jsonrpc4j (src/main/java/com/googlecode/jsonrpc4j modules). This vulnerability is associated with program files NoCloseOutputStream.Java.\n\nThis issue affects jsonrpc4j: through 1.6.0."}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "AUTOMATIC", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.3, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:L/AU:Y/R:A/V:D/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "MODERATE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-835", "description": "CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-01-27T08:38:34.944Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/briandilley/jsonrpc4j/pull/333"}], "source": {"discovery": "UNKNOWN"}, "title": "Buffer Overflow Vulnerability in briandilley/jsonrpc4j", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-27T17:03:21.183871Z", "id": "CVE-2026-24802", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T17:03:30.291Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24802", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-27T17:03:21.183871Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-27T17:03:25.614Z"}}], "cna": {"title": "Buffer Overflow Vulnerability in briandilley/jsonrpc4j", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "TITAN Team (titancaproject@gmail.com)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "AUTOMATIC", "baseScore": 5.3, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:L/AU:Y/R:A/V:D/RE:M/U:Amber", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "AMBER", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "briandilley", "modules": ["src/main/java/com/googlecode/jsonrpc4j"], "product": "jsonrpc4j", "versions": [{"status": "affected", "version": "0", "versionType": "git", "lessThanOrEqual": "1.6.0"}], "programFiles": ["NoCloseOutputStream.java"], "collectionURL": "https://github.com/briandilley/jsonrpc4j", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/briandilley/jsonrpc4j/pull/333", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in briandilley jsonrpc4j (src/main/java/com/googlecode/jsonrpc4j modules). This vulnerability is associated with program files NoCloseOutputStream.Java.\n\nThis issue affects jsonrpc4j: through 1.6.0.", "supportingMedia": [{"type": "text/html", "value": "Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in briandilley jsonrpc4j (src/main/java/com/googlecode/jsonrpc4j modules).<p> This vulnerability is associated with program files <tt>NoCloseOutputStream.Java</tt>.</p><p>This issue affects jsonrpc4j: through 1.6.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-835", "description": "CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')"}]}], "providerMetadata": {"orgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "shortName": "GovTech CSG", "dateUpdated": "2026-01-27T08:38:34.944Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24802", "state": "PUBLISHED", "dateUpdated": "2026-01-27T17:03:30.291Z", "dateReserved": "2026-01-27T08:18:43.268Z", "assignerOrgId": "1a37b84a-8e51-4525-b3d6-87e2fae01dbd", "datePublished": "2026-01-27T08:38:34.944Z", "assignerShortName": "GovTech CSG"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in briandilley jsonrpc4j (src/main/java/com/googlecode/jsonrpc4j modules). This vulnerability is associated with program files NoCloseOutputStream.Java.\n\nThis issue affects jsonrpc4j: through 1.6.0."}, {"lang": "es", "value": "Vulnerabilidad de bucle con condici\u00f3n de salida inalcanzable ('Bucle infinito') en briandilley jsonrpc4j (src/main/java/com/googlecode/jsonrpc4j modules). Esta vulnerabilidad est\u00e1 asociada con los archivos de programa NoCloseOutputStream.Java.\n\nEste problema afecta a jsonrpc4j: hasta la versi\u00f3n 1.6.0."}], "id": "CVE-2026-24802", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "AUTOMATIC", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "AMBER", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "DIFFUSE", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:D/RE:M/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "MODERATE"}, "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}, "published": "2026-01-27T09:15:50.187", "references": [{"source": "cve_disclosure@tech.gov.sg", "url": "https://github.com/briandilley/jsonrpc4j/pull/333"}], "sourceIdentifier": "cve_disclosure@tech.gov.sg", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-835"}], "source": "cve_disclosure@tech.gov.sg", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T02:26:16.385099+00:00", "value": {"mitigation_remediation": ["Upgrade jsonrpc4j to a version newer than 1.6.0, such as 1.6.1 if available, to remove the flawed loop.", "Limit external access to the JSON\u2011RPC service so only trusted clients can invoke it, thereby reducing the attack surface for the infinite loop.", "Implement application\u2011level watchdogs or process resource limits to detect when the service stalls and restart it automatically."], "summary": {"action": "Assess Impact", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The affected product is jsonrpc4j from briandilley, version 1.6.0 and earlier. Projects that embed this version and expose the JSON\u2011RPC endpoint may be vulnerable if proper access controls are not in place.", "description_and_impact": "The vulnerability originates from a loop with an unreachable exit condition in the jsonrpc4j library, classified as CWE-835. When triggered, the loop runs indefinitely, consuming CPU resources and preventing the application from processing further requests, effectively causing a denial of service. The publisher labels it as a buffer overflow, but the underlying flaw is an infinite loop rather than a memory corruption issue.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, and the EPSS score is below 1\u202f%, suggesting a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector would be remote, via crafted inbound requests to the JSON\u2011RPC service, though this is inferred from the nature of the library and not explicitly stated in the advisory. Exploitation would require an attacker to send data that triggers the loop, resulting in the service becoming unresponsive until it is restarted or a watchdog recovers it."}}}}, "created": "2026-01-27T20:16:47.532467+00:00", "updated": "2026-04-18T02:30:15.868508+00:00", "vendors": ["briandilley", "briandilley$PRODUCT$jsonrpc4j"]}