Java defines all arrays to be objects. The system normally provides array classes that inherit directly from Object, but use the covariant subtyping rule. However, the user was able to define his own array classes because of a bug in the AppletClassLoader.

When a class is loaded via Class.forName(), it will ask the ClassLoader of the code that invoked Class.forName() to supply the class, unless it's an array class, in which case the system will supply an appropriate definition. However, AppletClassLoader did not check that the name of the class it actually loaded is the same as what was requested until after it has called defineClass(), which had the side-effect of entering the class into the system class table. By misnaming an array class, it was entered into the system class table, and could be used as an array. By calling Class.newInstance(), an attack could allocate an instance of their class, and cast it into an array. When the class definition is needed to check the cast, the system first looks in the system class table, but only for array classes. If a definition has an integer as its first instance variable, and the array is Class[], then necessary conditions exist to run arbitrary machine code.