Updated: 2026-02-27 00:23:19.776799
Description:
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | 0.0 | |
| CVSS Version 3.x | LOW | 3.7 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| Debian 10 ELS | tomcat9 | 9.0.31 | 3.7 | LOW | Ignored | 2025-10-11 00:18:24 | Ignored due to low severity | |
| Ubuntu 18.04 ELS | tomcat9 | 9.0.16-3 | 3.7 | LOW | Ignored | 2023-07-05 05:06:50 | Ignored due to low severity | |
| Ubuntu 18.04 ELS | tomcat8 | 8.5.39-1 | 3.7 | LOW | Released | CLSA-2025:1748282295 | 2025-05-27 03:58:16 | Ignored due to low severity |