In Eclipse OpenJ9 release versions prior to 0.44.0 and after 0.13.0, when running with JVM option -Xgc:concurrentScavenge, the sequence generated for System.arrayCopy on the IBM Z platform with hardware and software support for guarded storage [1], could allow access to a buffer with an incorrect length value when executing an arraycopy sequence while the Concurrent Scavenge Garbage Collection cycle is active and the source and destination memory regions for arraycopy overlap. This allows read and write to addresses beyond the end of the array range.
Conclusion & alert: CVE-2024-3933 is rated Low Risk (25.1/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.21%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.07% | 0.21% | +0.14% |
| 2 | 2025-11-21 | 0.05% | 0.07% | +0.02% |
| 3 | 2025-11-18 | — | 0.05% | — |
Full EPSS history (7 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.3 | 3.1 | MEDIUM |
|
1.0 | 4.2 | [email protected] |
| 7.3 | 3.1 | HIGH |
|
1.8 | 5.5 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
suse
|
medium | CVE-2024-3933 severity moderate: SUSE including 87 source package names (java-10-openjdk, java-10-openjdk-accessibility, …), 578 product×package rows across 84 product lines (Image SLES15-SP3-SAP-Azure-LI-BYOS-Production, Image SLES15-SP3-SAP-Azure-VLI-BYOS-Production, … (84 product lines)): Known Not Affected 366, Fixed 212. | https://www.suse.com/security/cve/CVE-2024-3933/ |
| URL | Tags |
|---|---|
| https://github.com/eclipse/omr/pull/7275 | Issue Tracking Patch |
| https://gitlab.eclipse.org/security/cve-assignement/-/issues/21 | Issue Tracking Vendor Advisory |