CVE-2025-2900 is a high-severity heap-based buffer overflow vulnerability (CWE-122) found in IBM Semeru Runtime versions 8.0.302.0 through 8.0.442.0, 11.0.12.0 through 11.0.26.0, 17.0.0.0 through 17.0.14.0, and 21.0.0.0 through 12.0.6.0. The flaw arises from a defect in the native AES/CBC encryption implementation within the runtime environment. Specifically, the vulnerability allows an attacker to trigger a buffer overflow condition on the heap, which leads to a denial of service (DoS) by causing the affected process to crash. The vulnerability does not impact confidentiality or integrity directly but severely affects availability. The CVSS v3.1 base score is 7.5, reflecting a high severity level with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality or integrity impact (C:N, I:N), and high availability impact (A:H). There are no known exploits in the wild at the time of publication, and no patches have been linked yet. The vulnerability affects multiple major versions of IBM Semeru Runtime, which is an open-source Java runtime distribution based on OpenJDK, widely used for running Java applications. The heap-based buffer overflow in the AES/CBC encryption routine suggests that specially crafted inputs or data processed by the runtime can trigger the overflow, leading to crashes and service interruptions.

For European organizations, the impact of this vulnerability can be significant, especially for enterprises relying on IBM Semeru Runtime to run critical Java applications, including financial services, telecommunications, manufacturing, and government services. A successful exploitation results in denial of service, causing application crashes and potential downtime. This can disrupt business operations, lead to loss of availability of key services, and impact customer trust and regulatory compliance, particularly under GDPR and other data protection frameworks that require service continuity. Since the vulnerability does not require authentication or user interaction and can be exploited remotely over the network, it increases the risk of automated attacks or wormable scenarios targeting exposed services. The lack of confidentiality or integrity impact reduces the risk of data breaches but does not mitigate the operational risks caused by service outages. Organizations with large-scale Java deployments or those using IBM Semeru Runtime in cloud or containerized environments may face cascading failures if the runtime is embedded in multiple microservices or backend systems.

European organizations should immediately inventory their environments to identify all instances of IBM Semeru Runtime within the affected version ranges. Until official patches are released, mitigation should focus on reducing exposure by restricting network access to services running on vulnerable runtimes, implementing strict firewall rules, and applying network segmentation to isolate critical systems. Monitoring and alerting should be enhanced to detect abnormal crashes or service disruptions indicative of exploitation attempts. Application-level mitigations include disabling or replacing the native AES/CBC encryption features if feasible or switching to alternative Java runtimes not affected by this vulnerability. Organizations should also prepare for rapid patch deployment once IBM releases fixes. Additionally, employing runtime application self-protection (RASP) or behavior-based anomaly detection can help identify exploitation attempts in real time. Finally, conducting penetration testing and vulnerability scanning focused on this CVE can help validate the effectiveness of mitigations.