CVE-2018-10237 in WebLogic Server
Summary
by MITRE
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/11/2026
The vulnerability identified as CVE-2018-10237 represents a critical denial of service weakness affecting Google Guava library versions 11.0 through 24.x before 24.1.1. This issue stems from improper input validation during deserialization processes, creating a scenario where remote attackers can manipulate server systems through carefully crafted serialized data. The vulnerability specifically impacts systems that utilize Java serialization for AtomicDoubleArray class and GWT serialization for CompoundOrdering class, making it particularly dangerous in environments where untrusted data flows through these components.
The technical flaw manifests in the eager memory allocation behavior of these serialized classes without adequate bounds checking on incoming data sizes. When the AtomicDoubleArray class processes serialized data through Java serialization, it allocates memory based on the size specified in the serialized payload without verifying whether the requested allocation is reasonable or malicious. Similarly, the CompoundOrdering class exhibits the same vulnerability when handling GWT serialized data, performing unbounded allocation that can be exploited by attackers to consume excessive system resources. This behavior directly maps to CWE-770, which describes allocation of resources without proper limits or checks, creating a pathway for resource exhaustion attacks.
The operational impact of this vulnerability extends beyond simple denial of service conditions, as it can effectively disable entire server applications or services that depend on affected Guava library versions. Attackers can construct serialized payloads that request enormous memory allocations, potentially causing out-of-memory errors, system crashes, or complete service unavailability. Servers processing untrusted input through these vulnerable classes become prime targets for resource exhaustion attacks, particularly in high-traffic environments where the vulnerability can be exploited repeatedly to maintain sustained denial of service conditions. The vulnerability affects a wide range of applications that rely on Guava's collection utilities and serialization capabilities, making it a widespread concern across multiple software ecosystems.
Organizations should prioritize immediate remediation by upgrading to Guava library version 24.1.1 or later, which includes proper bounds checking and memory allocation limits for the affected classes. Additionally, implementing serialization validation mechanisms, network segmentation, and input sanitization can provide additional defense layers. The vulnerability demonstrates the importance of proper resource management in serialization frameworks and aligns with ATT&CK technique T1499.004, which covers network denial of service attacks through resource exhaustion. Security teams should also consider implementing monitoring for unusual memory allocation patterns and establishing automated patch management processes to prevent similar vulnerabilities from affecting systems in the future.