FULL PRODUCT VERSION : A DESCRIPTION OF THE PROBLEM : Object.defineProperty() can be lured to change a non-writable, non-configurable property, if the property value is a NaN value. The issue is caused by a non-compliant implementation of [[DefineOwnProperty]] (ES5.1 - 8.12.9), see the already return in step 6 of that algorithm. This is mainly a problem for SES (Secure EcmaScript) and similar approaches. IIRC the problem would be considered a covert channel in the SES model. Nashorn version: hg tip 18edd7a1b166 STEPS TO FOLLOW TO REPRODUCE THE PROBLEM : function dec(n) { var a = new Uint8Array(new Float64Array([n]).buffer); return Array.apply(null, a).reduceRight(function(acc, v){return acc + (v < 10 ? "0" : "") + v.toString(16)}, ""); } jjs> o = Object.defineProperty({}, "NaN", {value: NaN}) [object Object] jjs> dec(o.NaN) 7ff8000000000000 jjs> Object.defineProperty(o, "NaN", {value: 0/0}) [object Object] jjs> dec(o.NaN) fff8000000000000 Expected: `o.NaN` is still the same NaN bit pattern, i.e. 7ff8000000000000 Actual: `o.NaN` bit pattern changed, i.e. fff8000000000000 REPRODUCIBILITY : This bug can be reproduced always.