It was discovered that the Remote Method Invocation component in OpenJDK did not properly handle unreferenced objects. An attacker could use this to specially construct an untrusted Java application or applet that could escape sandbox restrictions.