CVE-2024-38286

high

Published 2024-08-21 · Modified 2026-02-04

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVSS v2

—

VIR risk

8.0

Description

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2024-38286

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2024-38286.html

vendor Authored 2026-05-27

Vendor advisory: redhat — https://access.redhat.com/errata/RHSA-2024:5693

OS impact

OS	Version	Status	Fixed in
rhel	9	fixed
sles		affected
debian	bookworm	fixed	`10.1.34-0+deb12u1`
debian	forky	fixed	`10.1.25-1`
debian	sid	fixed	`10.1.25-1`
debian	trixie	fixed	`10.1.25-1`
debian	bullseye	fixed	`9.0.43-2~deb11u11`

Package impact

Ecosystem	Package	Vulnerable	Fixed
Maven	org.apache.tomcat:tomcat-util	`>=11.0.0-M1,<11.0.0-M21`	`11.0.0-M21`
Maven	org.apache.tomcat:tomcat-util	`>=10.1.0-M1,<10.1.25`	`10.1.25`
Maven	org.apache.tomcat:tomcat-util	`>=9.0.13,<9.0.90`	`9.0.90`
Maven	org.apache.tomcat:tomcat-util	`>=8.5.35,<=8.5.100`
Maven	org.apache.tomcat:tomcat-util	`>=7.0.92,<=7.0.109`

References

Verify integrity in audit chain (admin only). AS-IS.