CVE-2022-3676: 
Homebrew vulnerability analysis and mitigation

In Eclipse OpenJ9 before version 0.35.0, a vulnerability was discovered where interface calls could be inlined without proper runtime type checking. This vulnerability was assigned CVE-2022-3676 and was disclosed on October 24, 2022. The vulnerability affects Eclipse OpenJ9 versions prior to 0.35.0 (Eclipse CVE).

The vulnerability stems from a flaw in the Just-In-Time (JIT) compiler where interface calls could be inlined without proper runtime type verification. Specifically, malicious bytecode could exploit this inlining process to access or modify memory through incompatible types. The issue is classified under CWE-20 (Improper Input Validation) and CWE-843 (Access of Resource Using Incompatible Type) (Eclipse Issue).

When exploited, this vulnerability could allow malicious bytecode to access or modify memory via incompatible types, potentially leading to type confusion attacks. The vulnerability could enable unauthorized access to memory regions and potential manipulation of program data (Eclipse Issue).

The vulnerability was addressed in Eclipse OpenJ9 version 0.35.0 through modifications to the JIT compiler's inlining behavior. The fix includes preventing nop guards for interface call sites and stopping the devirtualization of interface calls in preexistence (GitHub PR, OMR PR).