CVE-2024-38286 [High] | Denial of Service in Tomcat

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-01-18	0.55%	0.41%	-0.13%
2	2025-11-21	3.82%	0.55%	-3.27%
3	2025-11-18	—	3.82%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-01-18

0.55%

0.41%

-0.13%

2025-11-21

3.82%

0.55%

-3.27%

2025-11-18

—

3.82%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
8.6	3.1	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:C) Breaking this can reach past the original component and bite other resources—bigger blast radius. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	3.9	4.0	[email protected]
7.5	3.1	HIGH	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:N) Doesn’t really leak secrets in a meaningful way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	3.9	3.6	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

8.6

3.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C): Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

3.9

4.0

[email protected]

7.5

3.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N): Doesn’t really leak secrets in a meaningful way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

3.9

3.6

[email protected]

OS Trackers for CVE-2024-38286

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2024-38286 not yet assigned priority: Debian including 2 source packages (tomcat10, tomcat9), 9 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 9.	https://security-tracker.debian.org/tracker/CVE-2024-38286
`redhat`	high	—	https://access.redhat.com/security/cve/CVE-2024-38286
`suse`	high	CVE-2024-38286 severity important: SUSE including 41 source package names (tomcat, tomcat-9.0.36-3.130.1, …), 173 product×package rows across 22 product lines (SUSE Liberty Linux 8, SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS, … (22 product lines)): Known Not Affected 147, Fixed 26.	https://www.suse.com/security/cve/CVE-2024-38286/
`ubuntu`	medium	CVE-2024-38286 medium priority: Ubuntu including 6 source packages (tomcat10, tomcat11, tomcat6, tomcat7, tomcat8, tomcat9), 51 status rows across 10 suites (bionic, focal, jammy, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 26, released 10, not-affected 9, ignored 3, needs-triage 2, needed 1.	https://ubuntu.com/security/CVE-2024-38286

Affected software / configurations for CVE-2024-38286

Vendor	Product	Version	Raw CPE
apache	tomcat	>= 9.0.13, < 9.0.90	cpe:2.3:a:apache:tomcat::::::::
apache	tomcat	>= 10.1.1, < 10.1.25	cpe:2.3:a:apache:tomcat::::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone1::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone10::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone11::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone12::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone13::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone14::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone15::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone16::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone17::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone18::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone19::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone2::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone20::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone3::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone4::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone5::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone6::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone7::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone8::::::
apache	tomcat	10.1.0	cpe:2.3:a:apache:tomcat:10.1.0:milestone9::::::
apache	tomcat	11.0.0	cpe:2.3:a:apache:tomcat:11.0.0:milestone1::::::
apache	tomcat	11.0.0	cpe:2.3:a:apache:tomcat:11.0.0:milestone10::::::
apache	tomcat	11.0.0	cpe:2.3:a:apache:tomcat:11.0.0:milestone11::::::
apache	tomcat	11.0.0	cpe:2.3:a:apache:tomcat:11.0.0:milestone12::::::
apache	tomcat	11.0.0	cpe:2.3:a:apache:tomcat:11.0.0:milestone13::::::
apache	tomcat	11.0.0	cpe:2.3:a:apache:tomcat:11.0.0:milestone14::::::
apache	tomcat	11.0.0	cpe:2.3:a:apache:tomcat:11.0.0:milestone15::::::
apache	tomcat	11.0.0	cpe:2.3:a:apache:tomcat:11.0.0:milestone16::::::
apache	tomcat	11.0.0	cpe:2.3:a:apache:tomcat:11.0.0:milestone17::::::
apache	tomcat	11.0.0	cpe:2.3:a:apache:tomcat:11.0.0:milestone18::::::
apache	tomcat	11.0.0	cpe:2.3:a:apache:tomcat:11.0.0:milestone19::::::
apache	tomcat	11.0.0	cpe:2.3:a:apache:tomcat:11.0.0:milestone2::::::
apache	tomcat	11.0.0	cpe:2.3:a:apache:tomcat:11.0.0:milestone20::::::
apache	tomcat	11.0.0	cpe:2.3:a:apache:tomcat:11.0.0:milestone3::::::
apache	tomcat	11.0.0	cpe:2.3:a:apache:tomcat:11.0.0:milestone4::::::
apache	tomcat	11.0.0	cpe:2.3:a:apache:tomcat:11.0.0:milestone5::::::
apache	tomcat	11.0.0	cpe:2.3:a:apache:tomcat:11.0.0:milestone6::::::
apache	tomcat	11.0.0	cpe:2.3:a:apache:tomcat:11.0.0:milestone7::::::
apache	tomcat	11.0.0	cpe:2.3:a:apache:tomcat:11.0.0:milestone8::::::
apache	tomcat	11.0.0	cpe:2.3:a:apache:tomcat:11.0.0:milestone9::::::
netapp	ontap_tools	9	cpe:2.3:a:netapp:ontap_tools:9:::::vmware_vsphere::
netapp	ontap_tools	10	cpe:2.3:a:netapp:ontap_tools:10:::::vmware_vsphere::

References for CVE-2024-38286

URL	Tags
https://lists.apache.org/thread/wms60cvbsz3fpbz9psxtfx8r41jl6d4s	Mailing List
http://www.openwall.com/lists/oss-security/2024/09/23/2	Mailing List
https://lists.debian.org/debian-lts-announce/2025/01/msg00009.html
https://security.netapp.com/advisory/ntap-20241101-0010/	Third Party Advisory

URL

CVE-2024-38286 | Apache Tomcat: Denial of Service

Exploit prediction scoring system (EPSS) score for CVE-2024-38286

Common vulnerability scoring system (CVSS) metrics for CVE-2024-38286

Weakness enumeration for CVE-2024-38286

GitHub Security Advisory for CVE-2024-38286

OS Trackers for CVE-2024-38286

Affected software / configurations for CVE-2024-38286

References for CVE-2024-38286