Java and the NTFS Path weakness

Alan Bateman Alan.Bateman at
Tue Jan 19 08:26:02 UTC 2021

On 18/01/2021 21:29, Bernd wrote:
> Hello,
> bad news everyone. The second Windows Filesystem related security bug 
> reported by Jonas Lykkegaard which allows crashing Windows with a 
> unpriveledged read access also affects JVM and it is not filtered by 
> Path.of. Which means bot new File(bad).exists() and 
> Files.readAllLines(Path.of(bad)) will crash Windows immediatelly.
> I verified this on the latest Windows Server 2019 January Security Update.
> var bad = "\\\\.\\globalroot\\device\\condrv\\kernelconnect"
BSOD issues should be reported to Microsoft. If there is any suggestion 
of a JDK bug here then it should be reported to 
vuln-report at We (at least Oracle engineers) cannot 
engage in any discussion of vulnerability issues here.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the security-dev mailing list