CVE-2024-23086 – CVE-2024-23086 is a disputed vulnerability in A... (How to Fix)

Q: What is the severity of CVE-2024-23086?

CVE-2024-23086 has a CVSS score of 9.8 (CRITICAL). CVE-2024-23086 is a disputed vulnerability in Apfloat v1.10.1 where a stack overflow in the DoubleModMath::modPow method could potentially allow arbitrary code execution. The vulnerability is disputed by multiple third parties who question the evidence, but if valid, it affects applications using this arbitrary-precision arithmetic library. Users of Apfloat in their applications could be impacted.

📋 TL;DR

CVE-2024-23086 is a disputed vulnerability in Apfloat v1.10.1 where a stack overflow in the DoubleModMath::modPow method could potentially allow arbitrary code execution. The vulnerability is disputed by multiple third parties who question the evidence, but if valid, it affects applications using this arbitrary-precision arithmetic library. Users of Apfloat in their applications could be impacted.

💻 Affected Systems

Products:

Apfloat

Versions: v1.10.1 specifically mentioned

Operating Systems: All platforms running Java applications using Apfloat

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability is disputed by multiple third parties who question the evidence. The submission may have been based on insufficient tooling.

📦 What is this software?

Apfloat by Mikkotommila

View all CVEs affecting Apfloat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if the vulnerability is valid and exploitable.

🟠

Likely Case

Application crash or denial of service due to disputed nature and lack of confirmed exploitation.

🟢

If Mitigated

No impact if the vulnerability is invalid as disputed, or minimal disruption with proper input validation.

🌐 Internet-Facing: LOW due to disputed validity and lack of confirmed exploitation vectors.

🏢 Internal Only: LOW due to disputed nature and specialized library usage.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: HIGH

No public proof-of-concept exists. Exploitation would require specific conditions and the vulnerability is disputed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Monitor the Apfloat GitHub repository for updates.

🔧 Temporary Workarounds

Input validation

all

Implement strict input validation for parameters passed to Apfloat methods

Library replacement

all

Consider using alternative arbitrary-precision arithmetic libraries

🧯 If You Can't Patch

Implement network segmentation to isolate systems using Apfloat
Monitor for unusual application crashes or memory usage patterns

🔍 How to Verify

Check if Vulnerable:

Check if your application uses Apfloat v1.10.1 by examining dependencies or running: java -cp your-app.jar org.apfloat.ApfloatContext

Check Version:

Check Maven/Gradle dependencies or examine JAR manifest for Apfloat version

Verify Fix Applied:

Verify Apfloat version is not v1.10.1 or check for updates from the official repository

📡 Detection & Monitoring

Log Indicators:

Stack overflow exceptions in Java logs
Application crashes with memory-related errors

Network Indicators:

Unusual outbound connections from Java processes

SIEM Query:

source="java.logs" AND ("StackOverflowError" OR "OutOfMemoryError") AND process="*apfloat*"

📊 Metadata

CVE ID: CVE-2024-23086

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-125

Published: April 8, 2024

Last Updated: June 18, 2025

🔗 References

http://apfloat.com Product
https://gist.github.com/LLM4IG/63ad1a4d1e3955043b7a90fdbf36676b Third Party Advisory
https://github.com/mtommila/apfloat Product
http://apfloat.com Product
https://gist.github.com/LLM4IG/63ad1a4d1e3955043b7a90fdbf36676b Third Party Advisory
https://github.com/mtommila/apfloat Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-23086, you might also want to check these: