PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-27830 swaldman CVE debrief

The c3p0 JDBC connection pooling library, prior to version 0.12.0, contains a vulnerability that allows attackers to execute arbitrary code via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. The `userOverridesAsString` property in `ConnectionPoolDataSource` implementations was previously maintained as a hex-encoded serialized object, which could be exploited by attackers to execute unexpected code on the application's classpath. This vulnerability was exacerbated by issues in c3p0's main dependency, mchange-commons-java, which included ungated support for remote `factoryClassLocation` values. The vulnerability has been mitigated in c3p0 version 0.12.0 and above, which uses a safe CSV-based format for the `userOverridesAsString` property and restricts remote `factoryClassLocation` values by default.

Vendor
swaldman
Product
c3p0
CVSS
HIGH 8.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-26
Original CVE updated
2026-06-30
Advisory published
2026-02-26
Advisory updated
2026-06-30

Who should care

Developers and administrators using the c3p0 JDBC connection pooling library, particularly those using versions prior to 0.12.0, should be aware of this vulnerability and take steps to mitigate it. This includes updating to version 0.12.0 or later and ensuring that mchange-commons-java is updated to version 0.4.0 or later. Additionally, users of Red Hat products may need to apply errata to affected systems.

Technical summary

The c3p0 library, used for JDBC connection pooling, had a property called `userOverridesAsString` that was previously stored as a hex-encoded serialized Java object. This allowed attackers to inject malicious Java objects, potentially leading to code execution. The issue was compounded by vulnerabilities in mchange-commons-java, a dependency of c3p0, which allowed for remote code execution via JNDI references. The vulnerability has been addressed by changing the format of `userOverridesAsString` to a safer CSV-based format and by restricting remote `factoryClassLocation` values in mchange-commons-java.

Defensive priority

High priority should be given to updating c3p0 to version 0.12.0 or later and ensuring that mchange-commons-java is updated to version 0.4.0 or later. Additionally, administrators should review their systems for any signs of compromise and apply errata to affected Red Hat systems.

Recommended defensive actions

  • Update c3p0 to version 0.12.0 or later
  • Update mchange-commons-java to version 0.4.0 or later
  • Review systems for signs of compromise
  • Apply errata to affected Red Hat systems
  • Monitor for suspicious activity

Evidence notes

The CVE record and NVD detail provide information on the vulnerability and its mitigation. Additional sources, including GitHub advisories and Red Hat errata, offer further context and guidance on addressing the issue.

Official resources

This article was generated with AI assistance based on the supplied source corpus.