Announcing ColdFusion updates of Jun 9 2026 - p1 security update - thoughts and resources
In brief, this update is classed by Adobe as a P1 (Priority 1, "Critical") security update. Then again, the security bulletin (link below) indicates as of today that, "Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates."
The update also includes a still-more recent update to the version of Tomcat embedded within each CF version than previous CF updates. To be clear, there are no other changes, bug fixes, or known issues indicated for this update.
FWIW, some may know that Adobe released an update just last month--which was ONLY for CF2025, as I discussed in a post that day, May 20. That DID include many new features and changes (including changed behaviors), so note that if you are on CF2025 and are skipping from update 7 or earlier, look to that post for more before proceeding.
And like with each CF update, I share the details about the update (from Adobe and from others) as well as additional info you may want to consider before (or after) doing the update.
For more, read on.
(And FWIW I'll note that having installed the update for each of the releases on multiple machines, I can report that it went well.)
Following are the topics discussed in this post:
- Finding the update (and more about it)
- What are the security issues addressed in the update?
- Packages updated in this update
- Additional info to consider before/after doing CF updates
- On getting help with the update(s)
I appreciate that some people look for my posts as a go-to resource about the update, and some may wish I'd gotten this note out earlier today (the day of the update's release). Beside testing om multiple machines, I also take time to consider feedback shared in the community, or things I learn as I offered help to them and my own clients. (So far, again, I'm not aware of any issues. That said, sometimes issues arise due to caching--with respect to "seeing" or downloading the update. Only time will tell, but such problems inevitably do pass.)
Finding the update (and more about it)
You should find news of the new update in your CF Admin upon login (assuming "check for updates" is enabled in its Package Manager "Settings" tab, or if you click the "check for updates" button under the "Core Server" section of the Package Manager page). If you don't, even today, give it time as there may be caching issue.
Otherwise, Adobe has announced the update via their CF Portal, specifically these:
(Curiously, there is still no post for the update in the CF Community Forums, where often there tends to be more "discussion" from community members.)
And each such announcement points to the very important update technote available for each version:
BTW, note that the URL for these technotes has changed: I find currently that trying to use the URL of the previous updates (such as for CF2023 update 19) and incrementing the number by one results in a 404 error. They are now under the "guides" section of the Adobe site, rather than the "helpx" section. I don't know if this is a permanent change or just a temporary one, but it's worth noting in case you have bookmarked the previous technotes.
What are the security issues addressed in the update?
As I indicated at the outset, this update is focused solely on security. Quoting from the update technotes, the update "includes important security fixes that mitigate vulnerabilities related to arbitrary code execution, arbitrary file write, information disclosure, stored cross-site scripting, and security feature bypass".
Again the update ALSO includes an update to the Tomcat versions included in each of CF2025 (to Tomcat 10.1.55) and CF2023 (to Tomcat 9.0.118).
As for the CF aspects of the security vulnerabilities, see the Adobe Product Security Bulletin (or APSB) for this update, which indicates how it's indeed a Priority 1 "Critical" update, with the various CVEs listed in the bulletin range from having a CVSS score from 4.8 to 9.6 out of 10. The bulletin clarifies the specific NIST CVEs addressed.
You can read the bulletin for the boilerplate identification of the issues, and the CVE documents. Sadly, as is nearly always the case, there is very little detail beyond that about the vulns, and certainly no information to help you "detect if you're vulnerable". The expectation is that "you are" (vulnerable) and therefore "you should apply the update" in order to get the protection it offers.
Packages updated in this update
As is the case with many of the CF updates, this one does include updates to a few of its packages. See the table at the bottom of each technote indicating what packages were updated (which differs slightly between the two versions).
(As I noted at the outset, this update incudes no other changed, bug fixes, or known issues, as documented in the update technotes at the time of this writing.)
Additional info to consider before/after doing CF updates
Finally, just as with ANY CF update, there are a few issues you should keep in mind. Some have to do with things you should consider BEFORE doing any CF update, while others relate to considerations AFTER the update is applied.
I used to cover them within each of these posts, but I have tried to avoid repeating them. I'll say again that I plan to create a new post pulling the points out to stand alone (as like a best practices for CF updates). But until then, look first at the closing sections of my Apr 2026 update post:
- Things to beware BEFORE doing any CF update
- Changes, as a result of any CF updates you may be skipping
- Beware also that if you'd modified the pathfilter.json file introduced in the May 2025 CF update, sadly that file will be overwritten
- How can you assess if the update went well?
- 1) Check the update log, both for success applying the update
- 2) Check that same update log, for success in the update downloading any updated package
- 3) Check the coldfusion-out.log for success during UPDATING of any packages
- A few other topics generic to recent CF updates, which you may want to consider
- You should strongly consider "clearing the felix-cache"
- Other update topics to consider
And then there were still other generic update topics which I'd covered in still previous posts, the last one in my post on the Oct 2024 updates. After that I started having my subsequent posts point people instead to the bottom of that post for these equally important topics:
- What to consider, with regard to some previous CF updates (possible breaking changes)
- As with all CF updates, possible need to upgrade web server connector
- Something to consider, if you're updating CF2023 from its update 4, or earlier
- and more
On getting help with the update(s)
Finally, as for getting more help with the update, you have a few options.
First, you can reach out to Adobe via the post(s) announcing the update which I pointed to above. Adobe folks might well respond to issues you raise there. Or you could reach out to their support email addresses: [email protected] or [email protected].
Next, you can also reach out to the wider CF community for help or to hear from others. Note that I offer links to several of the online CF communities here.
Finally, if you may want help with considering, installing, or troubleshooting anything related to these updates (or indeed anything related to CF), I'm available for online remote consulting. I can often help solve such update problems VERY quickly (often minutes, rarely even hours), getting you back on your feet. More at carehart.org/consulting.
For more content like this from Charlie Arehart:Need more help with problems?
- Signup to get his blog posts by email:
- Follow his blog RSS feed
- View the rest of his blog posts
- View his blog posts on the Adobe CF portal
- If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
- See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed
LocalVariableTable name index programming error: max 65,536 > 65,535
LocalVariableTable name index programming error: max 65,536 > 65,535
Not able to find the answer.
But assuming those prove not to explain or resolve your problem, here's what I'd recommend you try next.
First, try editing the file in question (just making an innocuous change like adding a new blank line), then save and run it. Does that help? If so I'll share more. Bottom line this will force recompilation of the template. No, it shouldn't be necessary. Let's just see first if it helps.
But then if that doesn't work (and I can imagine why it might not, despite being close to the solution), try this instead:
- stop cf
- delete the cfusion/wwwroot/WEB-INF/cfclasses folder (not its sibling "classes" folder)
- then restart cf
That will remove the saved compilation of all cfm and cfc files. Again, we should not NEED to do it, but let's see if it it helps here. Note I said to do it while stopped. That's very important. (using the "clear template cache" button in the cf admin does NOT do this.)
Let us know if it helps. If so, I'll share more. If not, at least confirm you've done all 4 things above (check log, delete felix-cache, edit file, clear cfclasses).
FYI I have skipped update 8, I went from update 7 to update 9
before I posted my comment, I did delete compiled cfclasses, also made changes to the file and didn't work. going to try felix-cache and see if it works.
LocalVariableTable name index programming error: max 65,536 > 65,535 The specific sequence of files included or processed is: {fileLocation}, line: xx"
java.lang.IllegalArgumentException: LocalVariableTable name index programming error: max 65,536 > 65,535
at org.apache.bcel.util.Args.requireU2(Args.java:81)
at org.apache.bcel.classfile.Attribute.<init>(Attribute.java:269)
at org.apache.bcel.classfile.LocalVariableTable.<init>(LocalVariableTable.java:67)
at org.apache.bcel.generic.MethodGen.getLocalVariableTable(MethodGen.java:770)
at org.apache.bcel.generic.MethodGen.getMethod(MethodGen.java:809)
at coldfusion.bytecode.JavaAssembler.getBytes(JavaAssembler.java:445)
at coldfusion.compiler.TemplateAssembler.assemble(TemplateAssembler.java:166)
at coldfusion.compiler.NeoTranslator.translateJava(NeoTranslator.java:410)
at coldfusion.compiler.NeoTranslator.translateJava(NeoTranslator.java:155)
at coldfusion.runtime.TemplateClassLoader$TemplateCache$1.fetch(TemplateClassLoader.java:525)
at coldfusion.util.LruCache.get(LruCache.java:180)
at coldfusion.runtime.TemplateClassLoader$TemplateCache.fetchSerial(TemplateClassLoader.java:451)
at coldfusion.util.AbstractCache.fetch(AbstractCache.java:58)
at coldfusion.util.SoftCache.get_statsOff(SoftCache.java:153)
at coldfusion.util.SoftCache.get(SoftCache.java:92)
at coldfusion.runtime.TemplateClassLoader.findClass(TemplateClassLoader.java:712)
at coldfusion.runtime.RuntimeServiceImpl.getFile(RuntimeServiceImpl.java:1175)
at coldfusion.runtime.RuntimeServiceImpl.resolveTemplatePath(RuntimeServiceImpl.java:1159)
at coldfusion.tagext.lang.IncludeTag.setTemplate(IncludeTag.java:438)
if I comment out that include from {fileLocation}, it is working.
I realize it may seem you have "simply found a bug". (It would not be clear if it's in update 9 or 8, since you came from 7.) And you may therefore want to just file a bug report with Adobe at tracker.adobe.com. If you do, let us know the ticket so readers can follow along. I've not heard of this from anyone else, but it could be some wider issue.
All that said, it may prove challenging for Adobe to recreate your problem. If you are interested in seeing if there may be something else we may discover, I can think of a few other things to consider (and even to double check regarding what you'd done, as there are reasons your efforts might not have affected what they should.)
It would take way too much time and space here to lay out all the possible things to consider, how to, then how to respond with permutations based on what may be found for any one. So if you are indeed interested to pursue this beyond just filing a ticket with them, we could arrange time today, tomorrow, or next week for a remote consulting session (could be less than an hour, perhaps even far less).
.
For more on my rates, approach, satisfaction guarantee, online calendar, email, phone, and more, see the consulting page at carehart.org.
Either way, looking forward to hearing how things turn out for you. And thanks for bringing the matter up, in case someone else may benefit (or might even offer another suggestion for you).
We have reduced the page size(removed lot of code which was not used), down to around 4980 lines and everything seems to be working now.
at coldfusion.runtime.CfJspPage._get(CfJspPage.java:417)
at coldfusion.runtime.CfJspPage._get(CfJspPage.java:373)
at coldfusion.runtime.CfJspPage._get(CfJspPage.java:354)
at coldfusion.runtime.CfJspPage._autoscalarize(CfJspPage.java:2287)
at cfwebservices2ecfm1322521185._factor7(/CFIDE/administrator/extensions/webservices.cfm:298)" This is not the entire error. This problem only occurs on the two servers that i updated. Could this be a bug in the update or is there another explanation? I see this error in the Coldfusion-out.log during the install: "Error [Thread-13] - Connect to 127.0.0.1:8997 [/127.0.0.1] failed: Connection refused: getsockopt http://127.0.0.1:8997/PDFgServlet/" These servers are isolated and the install is done manually.
Also, though I sound like a broken record (saying this in my replies to folks here), you should file a bug report at tracker.adobe.com, and share the ticket here.
Adobe folks have virtually never responded here to matters that I or others have raised here. BTW, I just accept that and write anyway for everyone else, as well as perhaps those at Adobe who read but for whatever reasons can't or won't respond here.
Finally, to your point about the socket error in the cf startup log lines regarding pdfg, that's wholly unrelated to web services, being instead about the cf add-on service that serves any use of the cfhtmltopdf tag.
In fact, can you confirm that you can? BTW, that list of web services is not technically necessary. You can call a web service without defining it there, just as you can serve a cfc as a web service without defining it there.
Some may contend they need it there to refresh cf's caching of a called web service's proxy (built by cf on first call to a web service), but in fact you can do that via the refreshwsdl attribute of cfinvoke or argument of createobject, as I have discussed in another blog post in the distant past. :-) It can also be done via an adminapi call.
Just saying that it's good to get them to look into this, but this news may help you in the meantime.
I did the install from the admin, it took a while and when I checked it hadn't restarted. I was able to start CF from the services panel but realized it was still on patch19. Looking at the log this morning I find errors:
648 Successes
0 Warnings
0 NonFatalErrors
4 FatalErrors
Action Notes:
Moving files failed:: Failed to back up the previous hotfix files. Retry installation after ensuring that the server is not running or files are not locked by the server.
Moving files failed:: Failed to back up the previous hotfix files. Retry installation after ensuring that the server is not running or files are not locked by the server.
Failed to copy hotfix files:C:\Windows\system32\config\systemprofile\353511.tmp\dist\cfusion\bin\coldfusion.exe: Failed to copy the hotfix files to the target location. Retry installation after ensuring that the server is not running or files are not locked by the server.
Failed to copy hotfix files:C:\Windows\system32\config\systemprofile\353511.tmp\dist\cfusion\bin\coldfusionsvc.exe: Failed to copy the hotfix files to the target location. Retry installation after ensuring that the server is not running or files are not locked by the server.
Any thoughts?
My second thought is that when this happens, it's usually because the cf windows service has been changed to run cf as a user other than the default "local system" account. That change (to use a non-system user) is a wise one, from a security perspective. And it's even recommended in the cf lockdown guide.
But it has this negative consequence: that user doesn't have the authority to stop the cf service. So some people in this situation resort to running the update from the commandline (opening that "as admin"), which will solve this.
But another solution is to give that user the authority to stop/start the cf services. The best (and free) tool for that is Service Security Editor, from Core Technologies:
https://www.coretechnologies.com/products/ServiceSecurityEditor/
I've used it for years and have spoken about it but don't think I've yet blogged on it.
Let us know if either approach gets you going, or what you may find.
Is it better to run from command line? Stop services, Run as Admin, point at Jar. Thinking I may just retry from admin.
And yes, it's ok to "try again" even though the first attempt failed. Only rarely will it report that it thinks the update is "already installed" (even when it failed).
Also, yes, you can use that java -jar approach (which is outlined in the update technotes).
FWIW, an alternative some prefer is to use the cfpm cli tool (found in the cfusion/bin folder), which is new since CF2021. While its main task is to manage packages (cfpm stands for "cf package manager"), it can apply the core update as well. There's no particular advantage of it over the "java -jar" approach. It simply ends up doing that for you.
Again, do be sure to stop CF first. While all of those update approaches SHOULD stop it first, if you're going to go the command line anyway, just stop the service before trying. Recall that your error said, "Retry installation after ensuring that the server is not running". My previous point was that usually that happens when one tries the Admin but has it running as a non-system/non-root user. You're saying that wasn't the issue in this case. OK.
Let us know how it goes.
I then Stopped the service and ran the patch from the command line, as Admin. It ran perfectly and started the service.
So issue resolved. It has been a month since the server was last down and potentially it had enough traffic on it to slow the auto-stop of the service from the admin panel as you suggested. Thanks for your help! Sorry I won't be in Vegas, but see you in '27
Thanks for the update.
Are you running on Linux? Could your issue be related to resource usage limits? You could use "ulimit" to check some of your settings. I thought of this after reading this page on CF Monitoring and the prereqs require updating file descriptor limits to 65536.
https://helpx.adobe.com/de/coldfusion/performance-monitoring-toolset/install-coldfusion-performance-monitoring-toolset.html
I'll say that there was that tweak to ulimit for the PMT documented by Adobe a few years ago, I don't recall seeing one for CF itself. Again, it will be very interesting to hear a) if it helps Manu and b) whether it may be more widely applicable.
Thanks for all your help.
https://www.carehart.org/blog/2026/6/9/coldfusion_updates_released_jun_9_2026#c2DCC9A19-D451-A165-836A54ACD14E031B
Bottom line, any news from Adobe? I still see no response on the tracker ticket...though also no one else has chimed in, either. There may still prove to be something environmentally unique causing your challenge.