CVE-2026-24802 identifies a loop with an unreachable exit condition (CWE-835) in the jsonrpc4j library, specifically within the NoCloseOutputStream.java source file. Jsonrpc4j is a Java library used to facilitate JSON-RPC communication, commonly integrated into Java applications for remote procedure calls. The vulnerability exists in versions up to 1.6.0 and manifests as an infinite loop that can be triggered remotely without requiring authentication, though user interaction is necessary. This infinite loop can cause the affected application to hang or consume excessive CPU resources, leading to denial of service (DoS) conditions. The CVSS 4.0 base score of 5.3 reflects a medium severity, considering the network attack vector, low attack complexity, no privileges required, but user interaction needed, and limited impact on confidentiality, integrity, and availability. No public exploits are known at this time, and no official patches have been released yet. The vulnerability’s root cause is a programming logic error where the loop condition never becomes false, causing the program to stall indefinitely. This can degrade service availability and potentially impact dependent systems or users relying on the affected services.

For European organizations, the primary impact is potential denial of service on applications using the vulnerable jsonrpc4j library. This can result in service outages, degraded performance, and resource exhaustion, affecting business continuity and user experience. Organizations relying on Java-based RPC frameworks in critical infrastructure, financial services, or public sector applications may face operational disruptions. Although the vulnerability does not directly expose sensitive data or allow privilege escalation, the availability impact can indirectly affect confidentiality and integrity by disrupting normal security controls or incident response processes. The medium severity rating suggests moderate risk, but the ease of exploitation without authentication and the widespread use of Java in Europe elevate the concern. Additionally, sectors with high reliance on RPC communications, such as telecommunications and software development firms, could experience increased risk.

Immediate mitigation involves auditing all applications and services for usage of jsonrpc4j versions up to 1.6.0. Organizations should monitor vendor channels for official patches or updates addressing CVE-2026-24802. In the absence of an official patch, developers can implement code-level fixes to ensure loop exit conditions are reachable, such as adding timeout mechanisms or loop iteration limits in NoCloseOutputStream.java. Employing runtime monitoring and resource usage alerts can help detect anomalous CPU or memory consumption indicative of exploitation attempts. Network-level protections, such as rate limiting and input validation on JSON-RPC endpoints, can reduce the likelihood of triggering the infinite loop. Additionally, isolating vulnerable services and applying strict access controls can limit exposure. Regular security testing and code reviews focusing on loop constructs and exit conditions in RPC libraries are recommended to prevent similar issues.