On Mon, 11 Aug 2025 11:33:19 GMT, Per Minborg <pminb...@openjdk.org> wrote:
> ### Description > This PR proposes to update the `ClassLoader` implementation to properly guard > access to the provided `ByteBuffer` when defining a class using > `defineClass(String, ByteBuffer, ...)`. Specifically, calls to > `SharedSecrets.getJavaNioAccess().acquireSession(ByteBuffer)` and > `releaseSession(ByteBuffer)` have been introduced to ensure safe and > consistent buffer access throughout the native class definition process, even > in the case of a `ByteBuffer` is backed by a `MemorySegment`. > > ### Impact > This modification is internal to the `ClassLoader` implementation and does > not affect the public API. > Improves the robustness and security of class loading from buffers. > > ### Testing > Tier 1, 2, and 3 JDK tests pass on multiple platforms. This pull request has now been integrated. Changeset: 19f0755c Author: Per Minborg <pminb...@openjdk.org> URL: https://git.openjdk.org/jdk/commit/19f0755c48e998b5b136ca58ea21eb3b54bc7b33 Stats: 92 lines in 2 files changed: 88 ins; 0 del; 4 mod 8365203: defineClass with direct buffer can cause use-after-free Reviewed-by: jpai ------------- PR: https://git.openjdk.org/jdk/pull/26724
