CVE-2007-3655

JRE 5.0 Update 11 and earlier, 6.0 Update 1 and earlier - Remote Code Execution via JNLP File

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2007-3655. PoCs published by ZhenHan.Liu, Daniel Soeder.

AI-analyzed exploit summary This VBScript generates a malicious JNLP file exploiting a buffer overflow in Java Web Start (javaws.exe) by crafting an overly long 'codebase' attribute. The PoC demonstrates the vulnerability but lacks a functional shellcode payload.

Description

Stack-based buffer overflow in javaws.exe in Sun Java Web Start in JRE 5.0 Update 11 and earlier, and 6.0 Update 1 and earlier, allows remote attackers to execute arbitrary code via a long codebase attribute in a JNLP file.

Exploits (2)

exploitdb WORKING POC VERIFIED
by ZhenHan.Liu · doswindows
https://www.exploit-db.com/exploits/4168

This VBScript generates a malicious JNLP file exploiting a buffer overflow in Java Web Start (javaws.exe) by crafting an overly long 'codebase' attribute. The PoC demonstrates the vulnerability but lacks a functional shellcode payload.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Java Web Start (javaws.exe) v6.0.10.6
No auth needed
Prerequisites: Java Web Start installed · Victim opens the malicious JNLP file
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Daniel Soeder · remotelinux
https://www.exploit-db.com/exploits/30284

This VBScript generates a malicious JNLP file exploiting a stack-based buffer overflow in Sun Java Runtime Environment (CVE-2007-3655). The overflow occurs due to improper bounds checking in the `sprintf` function when processing a long `codebase` attribute.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Sun Java Runtime Environment 6 update 1, Java Runtime Environment 5 update 11
No auth needed
Prerequisites: Victim must open the malicious JNLP file with a vulnerable JRE version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (29)

Core 29
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2007-0818.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/37756
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/2477
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26314
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/24832
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/26369
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/35320
Third Party Advisory vendor-advisory x_refsource_gentoo
http://security.gentoo.org/glsa/glsa-200804-28.xml
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/29858
Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/Security-announce/2007/Dec/msg00001.html
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/25981
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/2874
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1018346
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2007/4224
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/473356/100/0/threaded
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/30780
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/473224/100/0/threaded
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/27266
Vendor Advisory vendor-advisory x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102996-1
Vendor Advisory vendor-advisory x_refsource_suse
http://www.novell.com/linux/security/advisories/2007_56_ibmjava.html
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11367
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/28115
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/30284
Third Party Advisory vendor-advisory x_refsource_gentoo
http://www.gentoo.org/security/en/glsa/glsa-200804-20.xml
Third Party Advisory vendor-advisory x_refsource_gentoo
http://www.gentoo.org/security/en/glsa/glsa-200806-11.xml
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2007-0829.html
Mailing List mailing-list x_refsource_fulldisc
http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064552.html

Scores

EPSS 0.6225
EPSS Percentile 98.4%

Details

CWE
CWE-119
Status published
Products (2)
sun/jre 1.5.0 update1 (11 CPE variants)
sun/jre 1.6.0 update_1
Published Jul 10, 2007
Tracked Since Feb 18, 2026