CVE-2018-10237

Name: CVE-2018-10237
Creator: NVD / NIST
Published: 2018-04-26T21:29:00.23+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.9/10EPSS 5.12%

Last modified Jun 17, 2026

CVE-2018-10237 is a medium-severity vulnerability rated 5.9/10 on the CVSS scale. Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.. EPSS estimates a 5.12% chance of exploitation in the next 30 days.

Description

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Metrics

CVSS 3.1

5.9/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

5.12%

91.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-770

Affected Software

Vendor	Product	Versions
Google	Guava	>= 11.0, < 24.1.1
Redhat	Openshift Container Platform	3.11
Redhat	Openstack	13
Redhat	Satellite	6.4
Redhat	Satellite Capsule	6.4
Redhat	Virtualization	4.2
Redhat	Virtualization Host	4.0
Redhat	Jboss Enterprise Application Platform	6.0.0
Redhat	Jboss Enterprise Application Platform	6.4.0
Redhat	Jboss Enterprise Application Platform	7.1.0
Redhat	Openshift Container Platform	4.1
Redhat	Virtualization	4.0
Oracle	Banking Payments	>= 14.1.0, <= 14.4.0
Oracle	Communications Ip Service Activator	7.3.0
Oracle	Communications Ip Service Activator	7.4.0
Oracle	Customer Management And Segmentation Foundation	18.0
Oracle	Database Server	12.2.0.1
Oracle	Database Server	18c
Oracle	Database Server	19c
Oracle	Flexcube Investor Servicing	12.1.0
Oracle	Flexcube Investor Servicing	12.3.0
Oracle	Flexcube Investor Servicing	12.4.0
Oracle	Flexcube Investor Servicing	14.0.0
Oracle	Flexcube Investor Servicing	14.1.0
Oracle	Flexcube Private Banking	12.0.0
Oracle	Flexcube Private Banking	12.1.0
Oracle	Retail Integration Bus	15.0
Oracle	Retail Integration Bus	16.0
Oracle	Retail Xstore Point Of Service	7.1
Oracle	Retail Xstore Point Of Service	15.0
Oracle	Retail Xstore Point Of Service	16.0
Oracle	Retail Xstore Point Of Service	17.0
Oracle	Weblogic Server	12.2.1.3.0

References

Timeline

Published: Apr 26, 2018
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2018-10237?

How severe is CVE-2018-10237?

CVE-2018-10237 has a CVSS score of 5.9/10 (MEDIUM severity). The EPSS model estimates a 5.12% probability of exploitation in the next 30 days.

How do I fix CVE-2018-10237?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2018-10237?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST