Java and the NTFS Path weakness

Bernd Eckenfels ecki at
Tue Jan 19 10:18:03 UTC 2021

Hello Alan, I don’t think this is a Java vulnerability (but something Java application programmers have to deal with), that’s why I sent it to the mailing list (for lack of better channels).

Still there is a lesson to learn, we have two different windows file Name parsing behaviors in the openjdk.

Microsoft (and the mass media) seems to be aware of the Windows problems.

Von: Alan Bateman <Alan.Bateman at>
Gesendet: Tuesday, January 19, 2021 9:26:02 AM
An: Bernd <ecki at>; OpenJDK Dev list <security-dev at>; nio-dev <nio-dev at>
Betreff: Re: Java and the NTFS Path weakness

On 18/01/2021 21:29, Bernd wrote:

bad news everyone. The second Windows Filesystem related security bug reported by Jonas Lykkegaard which allows crashing Windows with a unpriveledged read access also affects JVM and it is not filtered by Path.of. Which means bot new File(bad).exists() and Files.readAllLines(Path.of(bad)) will crash Windows immediatelly.

I verified this on the latest Windows Server 2019 January Security Update.

var bad = "\\\\.\\globalroot\\device\\condrv\\kernelconnect"

BSOD issues should be reported to Microsoft. If there is any suggestion of a JDK bug here then it should be reported to vuln-report at<mailto:vuln-report at>. We (at least Oracle engineers) cannot engage in any discussion of vulnerability issues here.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the security-dev mailing list