Search

Find a vulnerability

Search criteria

    116 vulnerabilities found for graalvm_for_jdk by oracle

    CVE-2026-34282 (GCVE-0-2026-34282)

    Vulnerability from nvd – Published: 2026-04-21 20:35 – Updated: 2026-06-30 12:09
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
    Assigner
    References
    URL Tags
    https://www.oracle.com/security-alerts/cpuapr2026.html vendor-advisory
    https://access.redhat.com/security/cve/CVE-2026-34282 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2460044 issue-trackingx_refsource_REDHAT
    https://security.access.redhat.com/data/csaf/v2/v… x_sadp-csaf-vex
    https://access.redhat.com/errata/RHSA-2026:9254 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9689 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9693 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9686 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9256 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9688 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9687 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9691 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9694 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11655 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11403 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11902 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11829 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:22328 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11822 vendor-advisoryx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle Java SE Affected: 8u481-perf
    Affected: 11.0.30
    Affected: 17.0.18
    Affected: 21.0.10
    Affected: 25.0.2
    Affected: 26
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.18
    Affected: 21.0.10
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM Enterprise Edition Affected: 21.3.17
    Create a notification for this product.
    Red Hat Red Hat OpenJDK 11 ELS for RHEL 7     cpe:/a:redhat:openjdk_els:11::el7
    Create a notification for this product.
    Red Hat Red Hat OpenJDK 11 ELS for RHEL 8     cpe:/a:redhat:openjdk_els:11::el8
    Create a notification for this product.
    Red Hat Red Hat OpenJDK 11 ELS for RHEL 9     cpe:/a:redhat:openjdk_els:11::el9
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 10)     cpe:/o:redhat:enterprise_linux:10.1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 8)     cpe:/a:redhat:enterprise_linux:8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream AUS (v.8.4)     cpe:/a:redhat:rhel_aus:8.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)     cpe:/a:redhat:rhel_eus_long_life:8.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream AUS (v.8.6)     cpe:/a:redhat:rhel_aus:8.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.8.6)     cpe:/a:redhat:rhel_e4s:8.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream TUS (v.8.6)     cpe:/a:redhat:rhel_tus:8.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.8.8)     cpe:/a:redhat:rhel_e4s:8.8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream TUS (v.8.8)     cpe:/a:redhat:rhel_tus:8.8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.9.0)     cpe:/a:redhat:rhel_e4s:9.0::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.9.2)     cpe:/a:redhat:rhel_e4s:9.2::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.4)     cpe:/a:redhat:rhel_eus:9.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 9)     cpe:/a:redhat:enterprise_linux:9::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)     cpe:/o:redhat:enterprise_linux:10.1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CRB (v. 8)     cpe:/a:redhat:enterprise_linux:8::crb
    Create a notification for this product.
    Red Hat Red Hat CodeReady Linux Builder EUS (v.9.4)     cpe:/a:redhat:rhel_eus:9.4::crb
    Create a notification for this product.
    Red Hat Red Hat CodeReady Linux Builder EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::crb
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)     cpe:/a:redhat:enterprise_linux:9::crb
    Create a notification for this product.
    Red Hat OPENJDK ELS 11.0.31     cpe:/a:redhat:openjdk_els:11
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 17.0.19     cpe:/a:redhat:openjdk:17
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 17.0.9     cpe:/a:redhat:openjdk:17
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 21.0.11     cpe:/a:redhat:openjdk:21
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 25.0.3     cpe:/a:redhat:openjdk:25
    Create a notification for this product.
    Red Hat Red Hat Hardened Images     cpe:/a:redhat:hummingbird:1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Supplementary EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Supplementary EUS (v.10.2)     cpe:/o:redhat:enterprise_linux_eus:10.2
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Supplementary (v. 10)     cpe:/o:redhat:enterprise_linux:10.2
    Create a notification for this product.
    Red Hat Temurin Build of OpenJDK 25.0.3     cpe:/a:redhat:openjdk:25
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
    Create a notification for this product.
    Red Hat Red Hat build of OpenJDK 1.8     cpe:/a:redhat:openjdk:1.8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-34282",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T15:33:23.475952Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T15:34:09.905Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11::el7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenJDK 11 ELS for RHEL 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenJDK 11 ELS for RHEL 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenJDK 11 ELS for RHEL 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_aus:8.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream AUS (v.8.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus_long_life:8.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_aus:8.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream AUS (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:8.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_tus:8.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream TUS (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:8.8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_tus:8.8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:9.0::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:9.2::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 9)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CRB (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.4::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat CodeReady Linux Builder EUS (v.9.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.6::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11"
                ],
                "defaultStatus": "affected",
                "product": "OPENJDK ELS 11.0.31",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:17"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 17.0.19",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:17"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 17.0.9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:21"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 21.0.11",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:25"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 25.0.3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:hummingbird:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Hardened Images",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Supplementary EUS (v. 10.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Supplementary EUS (v.10.2)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Supplementary (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:25"
                ],
                "defaultStatus": "affected",
                "product": "Temurin Build of OpenJDK 25.0.3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:6"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:1.8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of OpenJDK 1.8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:9"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 9",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-21T20:00:00.000Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-835",
                    "description": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:09:14.603Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-34282"
              },
              {
                "name": "RHBZ#2460044",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460044"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34282.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9254"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9689"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9693"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9686"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9256"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9688"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9687"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9691"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9694"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11655"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11403"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11902"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11829"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:22328"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11822"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:9254: Red Hat OpenJDK 11 ELS for RHEL 7, Red Hat OpenJDK 11 ELS for RHEL 8, Red Hat OpenJDK 11 ELS for RHEL 9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9689: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux CRB (v. 8), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9693: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9686: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream E4S (v.9.0), Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4), Red Hat Enterprise Linux AppStream TUS (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.8), Red Hat Enterprise Linux CRB (v. 8), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9256: OPENJDK ELS 11.0.31"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9688: Red Hat Build of OpenJDK 17.0.19"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9687: Red Hat Build of OpenJDK 17.0.9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9691: Red Hat Build of OpenJDK 21.0.11"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9694: Red Hat Build of OpenJDK 25.0.3"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11655: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11403: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11902: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11829: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:22328: Red Hat Enterprise Linux Supplementary (v. 10), Red Hat Enterprise Linux Supplementary EUS (v. 10.0), Red Hat Enterprise Linux Supplementary EUS (v.10.2)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11822: Temurin Build of OpenJDK 25.0.3"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-21T00:00:00.000Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-21T20:00:00.000Z",
                "value": "Made public."
              }
            ],
            "title": "openjdk: Enhance TLS connection handling (Oracle CPU 2026-04)",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8u481-perf"
                },
                {
                  "status": "affected",
                  "version": "11.0.30"
                },
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                },
                {
                  "status": "affected",
                  "version": "25.0.2"
                },
                {
                  "status": "affected",
                  "version": "26"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.17"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u481:*:*:*:enterprise_performance:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:11.0.30:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25.0.2:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:26:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.17:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T20:35:21.405Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2026-34282",
        "datePublished": "2026-04-21T20:35:21.405Z",
        "dateReserved": "2026-03-26T19:48:45.676Z",
        "dateUpdated": "2026-06-30T12:09:14.603Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-34268 (GCVE-0-2026-34268)

    Vulnerability from nvd – Published: 2026-04-21 20:35 – Updated: 2026-04-22 13:55
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 2.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle Java SE Affected: 8u481
    Affected: 8u481-b50
    Affected: 8u481-perf
    Affected: 11.0.30
    Affected: 17.0.18
    Affected: 21.0.10
    Affected: 25.0.2
    Affected: 26
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.18
    Affected: 21.0.10
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM Enterprise Edition Affected: 21.3.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-34268",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T13:55:07.407266Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-200",
                    "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T13:55:11.210Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8u481"
                },
                {
                  "status": "affected",
                  "version": "8u481-b50"
                },
                {
                  "status": "affected",
                  "version": "8u481-perf"
                },
                {
                  "status": "affected",
                  "version": "11.0.30"
                },
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                },
                {
                  "status": "affected",
                  "version": "25.0.2"
                },
                {
                  "status": "affected",
                  "version": "26"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.17"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u481:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "b50",
                      "versionStartIncluding": "8u481",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u481:*:*:*:enterprise_performance:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:11.0.30:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25.0.2:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:26:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.17:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 2.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 2.9,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T20:35:14.204Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2026-34268",
        "datePublished": "2026-04-21T20:35:14.204Z",
        "dateReserved": "2026-03-26T19:48:45.674Z",
        "dateUpdated": "2026-04-22T13:55:11.210Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22021 (GCVE-0-2026-22021)

    Vulnerability from nvd – Published: 2026-04-21 20:35 – Updated: 2026-04-22 13:58
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle Java SE Affected: 8u481
    Affected: 8u481-b50
    Affected: 8u481-perf
    Affected: 11.0.30
    Affected: 17.0.18
    Affected: 21.0.10
    Affected: 25.0.2
    Affected: 26
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.18
    Affected: 21.0.10
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM Enterprise Edition Affected: 21.3.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22021",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T13:58:16.461640Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T13:58:23.932Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8u481"
                },
                {
                  "status": "affected",
                  "version": "8u481-b50"
                },
                {
                  "status": "affected",
                  "version": "8u481-perf"
                },
                {
                  "status": "affected",
                  "version": "11.0.30"
                },
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                },
                {
                  "status": "affected",
                  "version": "25.0.2"
                },
                {
                  "status": "affected",
                  "version": "26"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.17"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u481:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "b50",
                      "versionStartIncluding": "8u481",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u481:*:*:*:enterprise_performance:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:11.0.30:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25.0.2:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:26:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.17:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T20:35:12.845Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2026-22021",
        "datePublished": "2026-04-21T20:35:12.845Z",
        "dateReserved": "2026-01-05T18:07:34.731Z",
        "dateUpdated": "2026-04-22T13:58:23.932Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22018 (GCVE-0-2026-22018)

    Vulnerability from nvd – Published: 2026-04-21 20:35 – Updated: 2026-04-22 14:06
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    References
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle Java SE Affected: 8u481
    Affected: 8u481-b50
    Affected: 8u481-perf
    Affected: 11.0.30
    Affected: 17.0.18
    Affected: 21.0.10
    Affected: 25.0.2
    Affected: 26
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.18
    Affected: 21.0.10
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM Enterprise Edition Affected: 21.3.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22018",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T14:05:52.390108Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-770",
                    "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T14:06:10.533Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8u481"
                },
                {
                  "status": "affected",
                  "version": "8u481-b50"
                },
                {
                  "status": "affected",
                  "version": "8u481-perf"
                },
                {
                  "status": "affected",
                  "version": "11.0.30"
                },
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                },
                {
                  "status": "affected",
                  "version": "25.0.2"
                },
                {
                  "status": "affected",
                  "version": "26"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.17"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u481:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "b50",
                      "versionStartIncluding": "8u481",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u481:*:*:*:enterprise_performance:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:11.0.30:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25.0.2:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:26:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.17:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T20:35:11.445Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2026-22018",
        "datePublished": "2026-04-21T20:35:11.445Z",
        "dateReserved": "2026-01-05T18:07:34.728Z",
        "dateUpdated": "2026-04-22T14:06:10.533Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22016 (GCVE-0-2026-22016)

    Vulnerability from nvd – Published: 2026-04-21 20:35 – Updated: 2026-06-30 12:06
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-502 - Deserialization of Untrusted Data
    • CWE-611 - Improper Restriction of XML External Entity Reference
    Assigner
    References
    URL Tags
    https://www.oracle.com/security-alerts/cpuapr2026.html vendor-advisory
    https://access.redhat.com/security/cve/CVE-2026-22016 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2460039 issue-trackingx_refsource_REDHAT
    https://security.access.redhat.com/data/csaf/v2/v… x_sadp-csaf-vex
    https://access.redhat.com/errata/RHSA-2026:9682 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9254 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9689 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9693 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9683 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9686 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9256 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9688 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9687 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9691 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9694 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9684 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11655 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11403 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11902 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11829 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:22328 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:22139 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11822 vendor-advisoryx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle Java SE Affected: 8u481
    Affected: 8u481-b50
    Affected: 8u481-perf
    Affected: 11.0.30
    Affected: 17.0.18
    Affected: 21.0.10
    Affected: 25.0.2
    Affected: 26
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.18
    Affected: 21.0.10
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM Enterprise Edition Affected: 21.3.17
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Server (v. 7 ELS)     cpe:/o:redhat:rhel_els:7
    Create a notification for this product.
    Red Hat Red Hat OpenJDK 11 ELS for RHEL 7     cpe:/a:redhat:openjdk_els:11::el7
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Server Optional (v. 7 ELS)     cpe:/o:redhat:rhel_els:7
    Create a notification for this product.
    Red Hat Red Hat OpenJDK 11 ELS for RHEL 8     cpe:/a:redhat:openjdk_els:11::el8
    Create a notification for this product.
    Red Hat Red Hat OpenJDK 11 ELS for RHEL 9     cpe:/a:redhat:openjdk_els:11::el9
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 10)     cpe:/o:redhat:enterprise_linux:10.1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 8)     cpe:/a:redhat:enterprise_linux:8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream AUS (v. 8.2)     cpe:/a:redhat:rhel_aus:8.2::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream AUS (v.8.4)     cpe:/a:redhat:rhel_aus:8.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)     cpe:/a:redhat:rhel_eus_long_life:8.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream AUS (v.8.6)     cpe:/a:redhat:rhel_aus:8.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.8.6)     cpe:/a:redhat:rhel_e4s:8.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream TUS (v.8.6)     cpe:/a:redhat:rhel_tus:8.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.8.8)     cpe:/a:redhat:rhel_e4s:8.8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream TUS (v.8.8)     cpe:/a:redhat:rhel_tus:8.8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.9.0)     cpe:/a:redhat:rhel_e4s:9.0::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.9.2)     cpe:/a:redhat:rhel_e4s:9.2::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.4)     cpe:/a:redhat:rhel_eus:9.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 9)     cpe:/a:redhat:enterprise_linux:9::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)     cpe:/o:redhat:enterprise_linux:10.1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CRB (v. 8)     cpe:/a:redhat:enterprise_linux:8::crb
    Create a notification for this product.
    Red Hat Red Hat CodeReady Linux Builder EUS (v.9.4)     cpe:/a:redhat:rhel_eus:9.4::crb
    Create a notification for this product.
    Red Hat Red Hat CodeReady Linux Builder EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::crb
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)     cpe:/a:redhat:enterprise_linux:9::crb
    Create a notification for this product.
    Red Hat OPENJDK ELS 11.0.31     cpe:/a:redhat:openjdk_els:11
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 17.0.19     cpe:/a:redhat:openjdk:17
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 17.0.9     cpe:/a:redhat:openjdk:17
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 21.0.11     cpe:/a:redhat:openjdk:21
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 25.0.3     cpe:/a:redhat:openjdk:25
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 8u492     cpe:/a:redhat:openjdk:1.8
    Create a notification for this product.
    Red Hat Red Hat Hardened Images     cpe:/a:redhat:hummingbird:1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Supplementary EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Supplementary EUS (v.10.2)     cpe:/o:redhat:enterprise_linux_eus:10.2
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Supplementary (v. 10)     cpe:/o:redhat:enterprise_linux:10.2
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Supplementary (v. 8)     cpe:/a:redhat:enterprise_linux:8::supplementary
    Create a notification for this product.
    Red Hat Temurin Build of OpenJDK 25.0.3     cpe:/a:redhat:openjdk:25
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22016",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T14:11:15.674948Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-200",
                    "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              },
              {
                "descriptions": [
                  {
                    "cweId": "CWE-502",
                    "description": "CWE-502 Deserialization of Untrusted Data",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T14:12:01.017Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_els:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Server (v. 7 ELS)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11::el7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenJDK 11 ELS for RHEL 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_els:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Server Optional (v. 7 ELS)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenJDK 11 ELS for RHEL 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenJDK 11 ELS for RHEL 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_aus:8.2::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_aus:8.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream AUS (v.8.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus_long_life:8.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_aus:8.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream AUS (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:8.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_tus:8.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream TUS (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:8.8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_tus:8.8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:9.0::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:9.2::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 9)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CRB (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.4::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat CodeReady Linux Builder EUS (v.9.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.6::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11"
                ],
                "defaultStatus": "affected",
                "product": "OPENJDK ELS 11.0.31",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:17"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 17.0.19",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:17"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 17.0.9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:21"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 21.0.11",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:25"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 25.0.3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:1.8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 8u492",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:hummingbird:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Hardened Images",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Supplementary EUS (v. 10.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Supplementary EUS (v.10.2)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Supplementary (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8::supplementary"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Supplementary (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:25"
                ],
                "defaultStatus": "affected",
                "product": "Temurin Build of OpenJDK 25.0.3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:6"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 7",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-21T20:00:00.000Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP).  Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-611",
                    "description": "Improper Restriction of XML External Entity Reference",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:06:48.107Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-22016"
              },
              {
                "name": "RHBZ#2460039",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460039"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-22016.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9682"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9254"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9689"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9693"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9683"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9686"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9256"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9688"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9687"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9691"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9694"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9684"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11655"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11403"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11902"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11829"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:22328"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:22139"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11822"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:9682: Red Hat Enterprise Linux Server (v. 7 ELS), Red Hat Enterprise Linux Server Optional (v. 7 ELS)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9254: Red Hat OpenJDK 11 ELS for RHEL 7, Red Hat OpenJDK 11 ELS for RHEL 8, Red Hat OpenJDK 11 ELS for RHEL 9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9689: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux CRB (v. 8), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9693: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9683: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux AppStream AUS (v. 8.2), Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream E4S (v.9.0), Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4), Red Hat Enterprise Linux AppStream TUS (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.8), Red Hat Enterprise Linux CRB (v. 8), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9686: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream E4S (v.9.0), Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4), Red Hat Enterprise Linux AppStream TUS (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.8), Red Hat Enterprise Linux CRB (v. 8), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9256: OPENJDK ELS 11.0.31"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9688: Red Hat Build of OpenJDK 17.0.19"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9687: Red Hat Build of OpenJDK 17.0.9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9691: Red Hat Build of OpenJDK 21.0.11"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9694: Red Hat Build of OpenJDK 25.0.3"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9684: Red Hat Build of OpenJDK 8u492"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11655: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11403: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11902: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11829: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:22328: Red Hat Enterprise Linux Supplementary (v. 10), Red Hat Enterprise Linux Supplementary EUS (v. 10.0), Red Hat Enterprise Linux Supplementary EUS (v.10.2)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:22139: Red Hat Enterprise Linux Supplementary (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11822: Temurin Build of OpenJDK 25.0.3"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-21T00:00:00.000Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-21T20:00:00.000Z",
                "value": "Made public."
              }
            ],
            "title": "openjdk: Enhance Path Factories Redux (Oracle CPU 2026-04)",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8u481"
                },
                {
                  "status": "affected",
                  "version": "8u481-b50"
                },
                {
                  "status": "affected",
                  "version": "8u481-perf"
                },
                {
                  "status": "affected",
                  "version": "11.0.30"
                },
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                },
                {
                  "status": "affected",
                  "version": "25.0.2"
                },
                {
                  "status": "affected",
                  "version": "26"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.17"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u481:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "b50",
                      "versionStartIncluding": "8u481",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u481:*:*:*:enterprise_performance:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:11.0.30:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25.0.2:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:26:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.17:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP).  Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T20:35:10.242Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2026-22016",
        "datePublished": "2026-04-21T20:35:10.242Z",
        "dateReserved": "2026-01-05T18:07:34.728Z",
        "dateUpdated": "2026-06-30T12:06:48.107Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22013 (GCVE-0-2026-22013)

    Vulnerability from nvd – Published: 2026-04-21 20:35 – Updated: 2026-04-22 14:09
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
    • CWE-693 - Protection Mechanism Failure
    Assigner
    References
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle Java SE Affected: 8u481
    Affected: 8u481-b50
    Affected: 8u481-perf
    Affected: 11.0.30
    Affected: 17.0.18
    Affected: 21.0.10
    Affected: 25.0.2
    Affected: 26
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.18
    Affected: 21.0.10
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM Enterprise Edition Affected: 21.3.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22013",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T14:09:34.920958Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-693",
                    "description": "CWE-693 Protection Mechanism Failure",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T14:09:54.302Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8u481"
                },
                {
                  "status": "affected",
                  "version": "8u481-b50"
                },
                {
                  "status": "affected",
                  "version": "8u481-perf"
                },
                {
                  "status": "affected",
                  "version": "11.0.30"
                },
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                },
                {
                  "status": "affected",
                  "version": "25.0.2"
                },
                {
                  "status": "affected",
                  "version": "26"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.17"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u481:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "b50",
                      "versionStartIncluding": "8u481",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u481:*:*:*:enterprise_performance:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:11.0.30:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25.0.2:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:26:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.17:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS).  Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T20:35:08.836Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2026-22013",
        "datePublished": "2026-04-21T20:35:08.836Z",
        "dateReserved": "2026-01-05T18:07:34.727Z",
        "dateUpdated": "2026-04-22T14:09:54.302Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22007 (GCVE-0-2026-22007)

    Vulnerability from nvd – Published: 2026-04-21 20:35 – Updated: 2026-04-22 14:05
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 2.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle Java SE Affected: 8u481
    Affected: 8u481-b50
    Affected: 8u481-perf
    Affected: 11.0.30
    Affected: 17.0.18
    Affected: 21.0.10
    Affected: 25.0.2
    Affected: 26
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.18
    Affected: 21.0.10
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM Enterprise Edition Affected: 21.3.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22007",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T14:05:16.229810Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-200",
                    "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T14:05:28.424Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8u481"
                },
                {
                  "status": "affected",
                  "version": "8u481-b50"
                },
                {
                  "status": "affected",
                  "version": "8u481-perf"
                },
                {
                  "status": "affected",
                  "version": "11.0.30"
                },
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                },
                {
                  "status": "affected",
                  "version": "25.0.2"
                },
                {
                  "status": "affected",
                  "version": "26"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.17"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u481:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "b50",
                      "versionStartIncluding": "8u481",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u481:*:*:*:enterprise_performance:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:11.0.30:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25.0.2:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:26:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.17:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 2.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 2.9,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T20:35:04.885Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2026-22007",
        "datePublished": "2026-04-21T20:35:04.885Z",
        "dateReserved": "2026-01-05T18:07:34.726Z",
        "dateUpdated": "2026-04-22T14:05:28.424Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21945 (GCVE-0-2026-21945)

    Vulnerability from nvd – Published: 2026-01-20 21:56 – Updated: 2026-06-30 12:06
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-295 - Improper Certificate Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle Java SE Affected: 8u471
    Affected: 8u471-b50
    Affected: 8u471-perf
    Affected: 11.0.29
    Affected: 17.0.17
    Affected: 21.0.9
    Affected: 25.0.1
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.17
    Affected: 21.0.9
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM Enterprise Edition Affected: 21.3.16
    Create a notification for this product.
    Siemens SIMATIC CN 4100 Affected: 0 , < V5.0 (custom)
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Server (v. 7 ELS)     cpe:/o:redhat:rhel_els:7
    Create a notification for this product.
    Red Hat Red Hat OpenJDK 11 ELS for RHEL 7     cpe:/a:redhat:openjdk_els:11::el7
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Server Optional (v. 7 ELS)     cpe:/o:redhat:rhel_els:7
    Create a notification for this product.
    Red Hat Red Hat OpenJDK 11 ELS for RHEL 8     cpe:/a:redhat:openjdk_els:11::el8
    Create a notification for this product.
    Red Hat Red Hat OpenJDK 11 ELS for RHEL 9     cpe:/a:redhat:openjdk_els:11::el9
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 10)     cpe:/o:redhat:enterprise_linux:10.1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 8)     cpe:/a:redhat:enterprise_linux:8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream AUS (v. 8.2)     cpe:/a:redhat:rhel_aus:8.2::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream AUS (v.8.4)     cpe:/a:redhat:rhel_aus:8.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)     cpe:/a:redhat:rhel_eus_long_life:8.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream AUS (v.8.6)     cpe:/a:redhat:rhel_aus:8.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.8.6)     cpe:/a:redhat:rhel_e4s:8.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream TUS (v.8.6)     cpe:/a:redhat:rhel_tus:8.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.8.8)     cpe:/a:redhat:rhel_e4s:8.8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream TUS (v.8.8)     cpe:/a:redhat:rhel_tus:8.8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.9.0)     cpe:/a:redhat:rhel_e4s:9.0::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.9.2)     cpe:/a:redhat:rhel_e4s:9.2::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.4)     cpe:/a:redhat:rhel_eus:9.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 9)     cpe:/a:redhat:enterprise_linux:9::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)     cpe:/o:redhat:enterprise_linux:10.1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CRB (v. 8)     cpe:/a:redhat:enterprise_linux:8::crb
    Create a notification for this product.
    Red Hat Red Hat CodeReady Linux Builder EUS (v.9.4)     cpe:/a:redhat:rhel_eus:9.4::crb
    Create a notification for this product.
    Red Hat Red Hat CodeReady Linux Builder EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::crb
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)     cpe:/a:redhat:enterprise_linux:9::crb
    Create a notification for this product.
    Red Hat OPENJDK ELS 11.0.30     cpe:/a:redhat:openjdk_els:11
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 17.0.18     cpe:/a:redhat:openjdk:17
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 21.0.10     cpe:/a:redhat:openjdk:21
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 25.0.2     cpe:/a:redhat:openjdk:25
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 8u482     cpe:/a:redhat:openjdk:1.8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Supplementary (v. 8)     cpe:/a:redhat:enterprise_linux:8::supplementary
    Create a notification for this product.
    Red Hat Temurin Build of OpenJDK 25.0.2     cpe:/a:redhat:openjdk:25
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 10     cpe:/o:redhat:enterprise_linux:10
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21945",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-21T15:04:39.899042Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-21T15:05:36.940Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC CN 4100",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "V5.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T12:08:51.450Z",
              "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
              "shortName": "siemens-SADP"
            },
            "references": [
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
              }
            ],
            "x_adpType": "supplier"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_els:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Server (v. 7 ELS)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11::el7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenJDK 11 ELS for RHEL 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_els:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Server Optional (v. 7 ELS)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenJDK 11 ELS for RHEL 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenJDK 11 ELS for RHEL 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_aus:8.2::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_aus:8.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream AUS (v.8.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus_long_life:8.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_aus:8.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream AUS (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:8.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_tus:8.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream TUS (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:8.8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_tus:8.8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:9.0::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:9.2::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 9)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CRB (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.4::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat CodeReady Linux Builder EUS (v.9.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.6::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11"
                ],
                "defaultStatus": "affected",
                "product": "OPENJDK ELS 11.0.30",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:17"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 17.0.18",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:21"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 21.0.10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:25"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 25.0.2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:1.8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 8u482",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8::supplementary"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Supplementary (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:25"
                ],
                "defaultStatus": "affected",
                "product": "Temurin Build of OpenJDK 25.0.2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:6"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 7",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-01-20T21:21:00.000Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and  21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-295",
                    "description": "Improper Certificate Validation",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:06:26.782Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-21945"
              },
              {
                "name": "RHBZ#2429927",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2429927"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21945.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0931"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0847"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0928"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0933"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0932"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0927"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0848"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0897"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0899"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0901"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0895"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:4832"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:1606"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:0931: Red Hat Enterprise Linux Server (v. 7 ELS), Red Hat Enterprise Linux Server Optional (v. 7 ELS)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:0847: Red Hat OpenJDK 11 ELS for RHEL 7, Red Hat OpenJDK 11 ELS for RHEL 8, Red Hat OpenJDK 11 ELS for RHEL 9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:0928: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux CRB (v. 8), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:0933: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:0932: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux AppStream AUS (v. 8.2), Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream E4S (v.9.0), Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4), Red Hat Enterprise Linux AppStream TUS (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.8), Red Hat Enterprise Linux CRB (v. 8), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:0927: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream E4S (v.9.0), Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4), Red Hat Enterprise Linux AppStream TUS (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.8), Red Hat Enterprise Linux CRB (v. 8), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:0848: OPENJDK ELS 11.0.30"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:0897: Red Hat Build of OpenJDK 17.0.18"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:0899: Red Hat Build of OpenJDK 21.0.10"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:0901: Red Hat Build of OpenJDK 25.0.2"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:0895: Red Hat Build of OpenJDK 8u482"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:4832: Red Hat Enterprise Linux Supplementary (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:1606: Temurin Build of OpenJDK 25.0.2"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-01-15T12:05:58.026Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-01-20T21:21:00.000Z",
                "value": "Made public."
              }
            ],
            "title": "openjdk: Enhance Certificate Checking (Oracle CPU 2026-01)",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8u471"
                },
                {
                  "status": "affected",
                  "version": "8u471-b50"
                },
                {
                  "status": "affected",
                  "version": "8u471-perf"
                },
                {
                  "status": "affected",
                  "version": "11.0.29"
                },
                {
                  "status": "affected",
                  "version": "17.0.17"
                },
                {
                  "status": "affected",
                  "version": "21.0.9"
                },
                {
                  "status": "affected",
                  "version": "25.0.1"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.17"
                },
                {
                  "status": "affected",
                  "version": "21.0.9"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.16"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u471:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "b50",
                      "versionStartIncluding": "8u471",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u471:*:*:*:enterprise_performance:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:11.0.29:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:17.0.17:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.9:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25.0.1:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.17:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.9:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.16:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and  21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-20T21:56:27.997Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2026.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2026-21945",
        "datePublished": "2026-01-20T21:56:27.997Z",
        "dateReserved": "2026-01-05T18:07:34.712Z",
        "dateUpdated": "2026-06-30T12:06:26.782Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21933 (GCVE-0-2026-21933)

    Vulnerability from nvd – Published: 2026-01-20 21:56 – Updated: 2026-05-12 12:08
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
    • CWE-noinfo Not enough information
    Assigner
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle Java SE Affected: 8u471
    Affected: 8u471-b50
    Affected: 8u471-perf
    Affected: 11.0.29
    Affected: 17.0.17
    Affected: 21.0.9
    Affected: 25.0.1
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.17
    Affected: 21.0.9
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM Enterprise Edition Affected: 21.3.16
    Create a notification for this product.
    Siemens SIMATIC CN 4100 Affected: 0 , < V5.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21933",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-21T20:56:13.969343Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "description": "CWE-noinfo Not enough information",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-21T20:56:25.029Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC CN 4100",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "V5.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T12:08:50.255Z",
              "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
              "shortName": "siemens-SADP"
            },
            "references": [
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
              }
            ],
            "x_adpType": "supplier"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8u471"
                },
                {
                  "status": "affected",
                  "version": "8u471-b50"
                },
                {
                  "status": "affected",
                  "version": "8u471-perf"
                },
                {
                  "status": "affected",
                  "version": "11.0.29"
                },
                {
                  "status": "affected",
                  "version": "17.0.17"
                },
                {
                  "status": "affected",
                  "version": "21.0.9"
                },
                {
                  "status": "affected",
                  "version": "25.0.1"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.17"
                },
                {
                  "status": "affected",
                  "version": "21.0.9"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.16"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u471:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "b50",
                      "versionStartIncluding": "8u471",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u471:*:*:*:enterprise_performance:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:11.0.29:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:17.0.17:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.9:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25.0.1:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.17:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.9:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.16:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and  21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-20T21:56:24.083Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2026.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2026-21933",
        "datePublished": "2026-01-20T21:56:24.083Z",
        "dateReserved": "2026-01-05T18:07:34.709Z",
        "dateUpdated": "2026-05-12T12:08:50.255Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21932 (GCVE-0-2026-21932)

    Vulnerability from nvd – Published: 2026-01-20 21:56 – Updated: 2026-06-30 12:06
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
    • CWE-noinfo Not enough information
    • CWE-1287 - Improper Validation of Specified Type of Input
    Assigner
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle Java SE Affected: 8u471
    Affected: 8u471-b50
    Affected: 8u471-perf
    Affected: 11.0.29
    Affected: 17.0.17
    Affected: 21.0.9
    Affected: 25.0.1
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.17
    Affected: 21.0.9
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM Enterprise Edition Affected: 21.3.16
    Create a notification for this product.
    Siemens SIMATIC CN 4100 Affected: 0 , < V5.0 (custom)
    Create a notification for this product.
    Red Hat OPENJDK ELS 11.0.30     cpe:/a:redhat:openjdk_els:11
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 17.0.18     cpe:/a:redhat:openjdk:17
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 21.0.10     cpe:/a:redhat:openjdk:21
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 8u482     cpe:/a:redhat:openjdk:1.8
    Create a notification for this product.
    Red Hat Temurin Build of OpenJDK 25.0.2     cpe:/a:redhat:openjdk:25
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
    Create a notification for this product.
    Red Hat Red Hat build of OpenJDK 1.8     cpe:/a:redhat:openjdk:1.8
    Create a notification for this product.
    Red Hat Red Hat build of OpenJDK 11 ELS     cpe:/a:redhat:openjdk_els:11
    Create a notification for this product.
    Red Hat Red Hat build of OpenJDK 17     cpe:/a:redhat:openjdk:17
    Create a notification for this product.
    Red Hat Red Hat build of OpenJDK 21     cpe:/a:redhat:openjdk:21
    Create a notification for this product.
    Red Hat Red Hat build of OpenJDK 25     cpe:/a:redhat:openjdk:25
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 10     cpe:/o:redhat:enterprise_linux:10
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21932",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-21T20:55:36.680427Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "description": "CWE-noinfo Not enough information",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-21T20:55:54.335Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC CN 4100",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "V5.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T12:08:49.052Z",
              "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
              "shortName": "siemens-SADP"
            },
            "references": [
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
              }
            ],
            "x_adpType": "supplier"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11"
                ],
                "defaultStatus": "affected",
                "product": "OPENJDK ELS 11.0.30",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:17"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 17.0.18",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:21"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 21.0.10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:1.8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 8u482",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:25"
                ],
                "defaultStatus": "affected",
                "product": "Temurin Build of OpenJDK 25.0.2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:6"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:1.8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of OpenJDK 1.8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of OpenJDK 11 ELS",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:17"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of OpenJDK 17",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:21"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of OpenJDK 21",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:25"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of OpenJDK 25",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:9"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 9",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-01-20T21:21:00.000Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX).  Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and  21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.4,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-1287",
                    "description": "Improper Validation of Specified Type of Input",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:06:27.072Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-21932"
              },
              {
                "name": "RHBZ#2429925",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2429925"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21932.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0849"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0898"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0900"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0896"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:1606"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:0849: OPENJDK ELS 11.0.30"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:0898: Red Hat Build of OpenJDK 17.0.18"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:0900: Red Hat Build of OpenJDK 21.0.10"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:0896: Red Hat Build of OpenJDK 8u482"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:1606: Temurin Build of OpenJDK 25.0.2"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-01-15T12:01:50.512Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-01-20T21:21:00.000Z",
                "value": "Made public."
              }
            ],
            "title": "openjdk: Enhance Handling of URIs (Oracle CPU 2026-01)",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8u471"
                },
                {
                  "status": "affected",
                  "version": "8u471-b50"
                },
                {
                  "status": "affected",
                  "version": "8u471-perf"
                },
                {
                  "status": "affected",
                  "version": "11.0.29"
                },
                {
                  "status": "affected",
                  "version": "17.0.17"
                },
                {
                  "status": "affected",
                  "version": "21.0.9"
                },
                {
                  "status": "affected",
                  "version": "25.0.1"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.17"
                },
                {
                  "status": "affected",
                  "version": "21.0.9"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.16"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u471:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "b50",
                      "versionStartIncluding": "8u471",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u471:*:*:*:enterprise_performance:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:11.0.29:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:17.0.17:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.9:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25.0.1:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.17:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.9:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.16:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX).  Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and  21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-20T21:56:23.742Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2026.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2026-21932",
        "datePublished": "2026-01-20T21:56:23.742Z",
        "dateReserved": "2026-01-05T18:07:34.709Z",
        "dateUpdated": "2026-06-30T12:06:27.072Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21925 (GCVE-0-2026-21925)

    Vulnerability from nvd – Published: 2026-01-20 21:56 – Updated: 2026-05-12 12:08
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
    • CWE-noinfo Not enough information
    Assigner
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle Java SE Affected: 8u471
    Affected: 8u471-b50
    Affected: 8u471-perf
    Affected: 11.0.29
    Affected: 17.0.17
    Affected: 21.0.9
    Affected: 25.0.1
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.17
    Affected: 21.0.9
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM Enterprise Edition Affected: 21.3.16
    Create a notification for this product.
    Siemens SIMATIC CN 4100 Affected: 0 , < V5.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21925",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-21T20:50:27.654836Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "description": "CWE-noinfo Not enough information",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-21T20:51:07.046Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC CN 4100",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "V5.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T12:08:47.916Z",
              "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
              "shortName": "siemens-SADP"
            },
            "references": [
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
              }
            ],
            "x_adpType": "supplier"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8u471"
                },
                {
                  "status": "affected",
                  "version": "8u471-b50"
                },
                {
                  "status": "affected",
                  "version": "8u471-perf"
                },
                {
                  "status": "affected",
                  "version": "11.0.29"
                },
                {
                  "status": "affected",
                  "version": "17.0.17"
                },
                {
                  "status": "affected",
                  "version": "21.0.9"
                },
                {
                  "status": "affected",
                  "version": "25.0.1"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.17"
                },
                {
                  "status": "affected",
                  "version": "21.0.9"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.16"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u471:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "b50",
                      "versionStartIncluding": "8u471",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u471:*:*:*:enterprise_performance:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:11.0.29:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:17.0.17:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.9:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25.0.1:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.17:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.9:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.16:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI).  Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and  21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-20T21:56:21.058Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2026.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2026-21925",
        "datePublished": "2026-01-20T21:56:21.058Z",
        "dateReserved": "2026-01-05T18:07:34.708Z",
        "dateUpdated": "2026-05-12T12:08:47.916Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-61755 (GCVE-0-2025-61755)

    Vulnerability from nvd – Published: 2025-10-21 20:03 – Updated: 2025-10-22 18:15
    VLAI
    Summary
    Vulnerability in the Oracle GraalVM for JDK product of Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle GraalVM for JDK: 17.0.16 and 21.0.8. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle GraalVM for JDK accessible data. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle GraalVM for JDK accessible data.
    • CWE-862 - Missing Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.16
    Affected: 21.0.8
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-61755",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-22T18:11:21.523044Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-862",
                    "description": "CWE-862 Missing Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-22T18:15:40.100Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.16"
                },
                {
                  "status": "affected",
                  "version": "21.0.8"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.16:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.8:*:*:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle GraalVM for JDK product of Oracle Java SE (component: Compiler).  Supported versions that are affected are Oracle GraalVM for JDK: 17.0.16 and  21.0.8. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle GraalVM for JDK accessible data. CVSS 3.1 Base Score 3.7 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle GraalVM for JDK accessible data.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-21T20:03:10.637Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2025.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2025-61755",
        "datePublished": "2025-10-21T20:03:10.637Z",
        "dateReserved": "2025-09-30T19:21:55.556Z",
        "dateUpdated": "2025-10-22T18:15:40.100Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-61748 (GCVE-0-2025-61748)

    Vulnerability from nvd – Published: 2025-10-21 20:03 – Updated: 2026-05-12 12:08
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 21.0.8 and 25; Oracle GraalVM for JDK: 21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
    • CWE-284 - Improper Access Control
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-61748",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-22T16:58:40.661275Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-284",
                    "description": "CWE-284 Improper Access Control",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-22T18:23:18.544Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC CN 4100",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "V5.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T12:08:32.586Z",
              "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
              "shortName": "siemens-SADP"
            },
            "references": [
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
              }
            ],
            "x_adpType": "supplier"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.0.8"
                },
                {
                  "status": "affected",
                  "version": "25"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.0.8"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.15"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.8:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.8:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.15:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 21.0.8 and  25; Oracle GraalVM for JDK: 21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-21T20:03:08.113Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2025.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2025-61748",
        "datePublished": "2025-10-21T20:03:08.113Z",
        "dateReserved": "2025-09-30T19:21:55.554Z",
        "dateUpdated": "2026-05-12T12:08:32.586Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-53066 (GCVE-0-2025-53066)

    Vulnerability from nvd – Published: 2025-10-21 20:03 – Updated: 2026-05-12 12:08
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and 21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle Java SE Affected: 8u461
    Affected: 8u461-perf
    Affected: 11.0.28
    Affected: 17.0.16
    Affected: 21.0.8
    Affected: 25
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.16
    Affected: 21.0.8
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM Enterprise Edition Affected: 21.3.15
    Create a notification for this product.
    Siemens SIMATIC CN 4100 Affected: 0 , < V5.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53066",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-22T19:44:34.911215Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-200",
                    "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-22T19:45:23.775Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T17:44:58.069Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00026.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC CN 4100",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "V5.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T12:08:23.779Z",
              "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
              "shortName": "siemens-SADP"
            },
            "references": [
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
              }
            ],
            "x_adpType": "supplier"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8u461"
                },
                {
                  "status": "affected",
                  "version": "8u461-perf"
                },
                {
                  "status": "affected",
                  "version": "11.0.28"
                },
                {
                  "status": "affected",
                  "version": "17.0.16"
                },
                {
                  "status": "affected",
                  "version": "21.0.8"
                },
                {
                  "status": "affected",
                  "version": "25"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.16"
                },
                {
                  "status": "affected",
                  "version": "21.0.8"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.15"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u461:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u461:*:*:*:enterprise_performance:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:11.0.28:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:17.0.16:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.8:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.16:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.8:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.15:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP).  Supported versions that are affected are Oracle Java SE: 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and  21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-21T20:03:05.284Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2025.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2025-53066",
        "datePublished": "2025-10-21T20:03:05.284Z",
        "dateReserved": "2025-06-24T16:45:19.424Z",
        "dateUpdated": "2026-05-12T12:08:23.779Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-53057 (GCVE-0-2025-53057)

    Vulnerability from nvd – Published: 2025-10-21 20:03 – Updated: 2026-05-12 12:08
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and 21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle Java SE Affected: 8u461
    Affected: 8u461-perf
    Affected: 11.0.28
    Affected: 17.0.16
    Affected: 21.0.8
    Affected: 25
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.16
    Affected: 21.0.8
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM Enterprise Edition Affected: 21.3.15
    Create a notification for this product.
    Siemens SIMATIC CN 4100 Affected: 0 , < V5.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53057",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-22T14:46:38.744889Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-284",
                    "description": "CWE-284 Improper Access Control",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-22T14:47:54.864Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T17:44:57.058Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00026.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC CN 4100",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "V5.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T12:08:22.628Z",
              "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
              "shortName": "siemens-SADP"
            },
            "references": [
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
              }
            ],
            "x_adpType": "supplier"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8u461"
                },
                {
                  "status": "affected",
                  "version": "8u461-perf"
                },
                {
                  "status": "affected",
                  "version": "11.0.28"
                },
                {
                  "status": "affected",
                  "version": "17.0.16"
                },
                {
                  "status": "affected",
                  "version": "21.0.8"
                },
                {
                  "status": "affected",
                  "version": "25"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.16"
                },
                {
                  "status": "affected",
                  "version": "21.0.8"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.15"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u461:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u461:*:*:*:enterprise_performance:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:11.0.28:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:17.0.16:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.8:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.16:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.8:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.15:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and  21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-21T20:03:01.717Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2025.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2025-53057",
        "datePublished": "2025-10-21T20:03:01.717Z",
        "dateReserved": "2025-06-24T16:45:19.423Z",
        "dateUpdated": "2026-05-12T12:08:22.628Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-34282 (GCVE-0-2026-34282)

    Vulnerability from cvelistv5 – Published: 2026-04-21 20:35 – Updated: 2026-06-30 12:09
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
    Assigner
    References
    URL Tags
    https://www.oracle.com/security-alerts/cpuapr2026.html vendor-advisory
    https://access.redhat.com/security/cve/CVE-2026-34282 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2460044 issue-trackingx_refsource_REDHAT
    https://security.access.redhat.com/data/csaf/v2/v… x_sadp-csaf-vex
    https://access.redhat.com/errata/RHSA-2026:9254 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9689 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9693 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9686 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9256 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9688 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9687 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9691 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9694 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11655 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11403 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11902 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11829 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:22328 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11822 vendor-advisoryx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle Java SE Affected: 8u481-perf
    Affected: 11.0.30
    Affected: 17.0.18
    Affected: 21.0.10
    Affected: 25.0.2
    Affected: 26
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.18
    Affected: 21.0.10
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM Enterprise Edition Affected: 21.3.17
    Create a notification for this product.
    Red Hat Red Hat OpenJDK 11 ELS for RHEL 7     cpe:/a:redhat:openjdk_els:11::el7
    Create a notification for this product.
    Red Hat Red Hat OpenJDK 11 ELS for RHEL 8     cpe:/a:redhat:openjdk_els:11::el8
    Create a notification for this product.
    Red Hat Red Hat OpenJDK 11 ELS for RHEL 9     cpe:/a:redhat:openjdk_els:11::el9
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 10)     cpe:/o:redhat:enterprise_linux:10.1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 8)     cpe:/a:redhat:enterprise_linux:8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream AUS (v.8.4)     cpe:/a:redhat:rhel_aus:8.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)     cpe:/a:redhat:rhel_eus_long_life:8.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream AUS (v.8.6)     cpe:/a:redhat:rhel_aus:8.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.8.6)     cpe:/a:redhat:rhel_e4s:8.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream TUS (v.8.6)     cpe:/a:redhat:rhel_tus:8.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.8.8)     cpe:/a:redhat:rhel_e4s:8.8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream TUS (v.8.8)     cpe:/a:redhat:rhel_tus:8.8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.9.0)     cpe:/a:redhat:rhel_e4s:9.0::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.9.2)     cpe:/a:redhat:rhel_e4s:9.2::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.4)     cpe:/a:redhat:rhel_eus:9.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 9)     cpe:/a:redhat:enterprise_linux:9::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)     cpe:/o:redhat:enterprise_linux:10.1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CRB (v. 8)     cpe:/a:redhat:enterprise_linux:8::crb
    Create a notification for this product.
    Red Hat Red Hat CodeReady Linux Builder EUS (v.9.4)     cpe:/a:redhat:rhel_eus:9.4::crb
    Create a notification for this product.
    Red Hat Red Hat CodeReady Linux Builder EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::crb
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)     cpe:/a:redhat:enterprise_linux:9::crb
    Create a notification for this product.
    Red Hat OPENJDK ELS 11.0.31     cpe:/a:redhat:openjdk_els:11
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 17.0.19     cpe:/a:redhat:openjdk:17
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 17.0.9     cpe:/a:redhat:openjdk:17
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 21.0.11     cpe:/a:redhat:openjdk:21
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 25.0.3     cpe:/a:redhat:openjdk:25
    Create a notification for this product.
    Red Hat Red Hat Hardened Images     cpe:/a:redhat:hummingbird:1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Supplementary EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Supplementary EUS (v.10.2)     cpe:/o:redhat:enterprise_linux_eus:10.2
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Supplementary (v. 10)     cpe:/o:redhat:enterprise_linux:10.2
    Create a notification for this product.
    Red Hat Temurin Build of OpenJDK 25.0.3     cpe:/a:redhat:openjdk:25
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
    Create a notification for this product.
    Red Hat Red Hat build of OpenJDK 1.8     cpe:/a:redhat:openjdk:1.8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-34282",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T15:33:23.475952Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T15:34:09.905Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11::el7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenJDK 11 ELS for RHEL 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenJDK 11 ELS for RHEL 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenJDK 11 ELS for RHEL 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_aus:8.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream AUS (v.8.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus_long_life:8.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_aus:8.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream AUS (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:8.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_tus:8.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream TUS (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:8.8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_tus:8.8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:9.0::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:9.2::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 9)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CRB (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.4::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat CodeReady Linux Builder EUS (v.9.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.6::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11"
                ],
                "defaultStatus": "affected",
                "product": "OPENJDK ELS 11.0.31",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:17"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 17.0.19",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:17"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 17.0.9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:21"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 21.0.11",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:25"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 25.0.3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:hummingbird:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Hardened Images",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Supplementary EUS (v. 10.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Supplementary EUS (v.10.2)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Supplementary (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:25"
                ],
                "defaultStatus": "affected",
                "product": "Temurin Build of OpenJDK 25.0.3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:6"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:1.8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of OpenJDK 1.8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:9"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 9",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-21T20:00:00.000Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-835",
                    "description": "Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:09:14.603Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-34282"
              },
              {
                "name": "RHBZ#2460044",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460044"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34282.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9254"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9689"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9693"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9686"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9256"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9688"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9687"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9691"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9694"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11655"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11403"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11902"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11829"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:22328"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11822"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:9254: Red Hat OpenJDK 11 ELS for RHEL 7, Red Hat OpenJDK 11 ELS for RHEL 8, Red Hat OpenJDK 11 ELS for RHEL 9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9689: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux CRB (v. 8), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9693: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9686: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream E4S (v.9.0), Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4), Red Hat Enterprise Linux AppStream TUS (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.8), Red Hat Enterprise Linux CRB (v. 8), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9256: OPENJDK ELS 11.0.31"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9688: Red Hat Build of OpenJDK 17.0.19"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9687: Red Hat Build of OpenJDK 17.0.9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9691: Red Hat Build of OpenJDK 21.0.11"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9694: Red Hat Build of OpenJDK 25.0.3"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11655: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11403: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11902: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11829: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:22328: Red Hat Enterprise Linux Supplementary (v. 10), Red Hat Enterprise Linux Supplementary EUS (v. 10.0), Red Hat Enterprise Linux Supplementary EUS (v.10.2)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11822: Temurin Build of OpenJDK 25.0.3"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-21T00:00:00.000Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-21T20:00:00.000Z",
                "value": "Made public."
              }
            ],
            "title": "openjdk: Enhance TLS connection handling (Oracle CPU 2026-04)",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8u481-perf"
                },
                {
                  "status": "affected",
                  "version": "11.0.30"
                },
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                },
                {
                  "status": "affected",
                  "version": "25.0.2"
                },
                {
                  "status": "affected",
                  "version": "26"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.17"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u481:*:*:*:enterprise_performance:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:11.0.30:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25.0.2:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:26:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.17:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T20:35:21.405Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2026-34282",
        "datePublished": "2026-04-21T20:35:21.405Z",
        "dateReserved": "2026-03-26T19:48:45.676Z",
        "dateUpdated": "2026-06-30T12:09:14.603Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-34268 (GCVE-0-2026-34268)

    Vulnerability from cvelistv5 – Published: 2026-04-21 20:35 – Updated: 2026-04-22 13:55
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 2.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle Java SE Affected: 8u481
    Affected: 8u481-b50
    Affected: 8u481-perf
    Affected: 11.0.30
    Affected: 17.0.18
    Affected: 21.0.10
    Affected: 25.0.2
    Affected: 26
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.18
    Affected: 21.0.10
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM Enterprise Edition Affected: 21.3.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-34268",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T13:55:07.407266Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-200",
                    "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T13:55:11.210Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8u481"
                },
                {
                  "status": "affected",
                  "version": "8u481-b50"
                },
                {
                  "status": "affected",
                  "version": "8u481-perf"
                },
                {
                  "status": "affected",
                  "version": "11.0.30"
                },
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                },
                {
                  "status": "affected",
                  "version": "25.0.2"
                },
                {
                  "status": "affected",
                  "version": "26"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.17"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u481:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "b50",
                      "versionStartIncluding": "8u481",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u481:*:*:*:enterprise_performance:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:11.0.30:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25.0.2:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:26:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.17:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 2.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 2.9,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T20:35:14.204Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2026-34268",
        "datePublished": "2026-04-21T20:35:14.204Z",
        "dateReserved": "2026-03-26T19:48:45.674Z",
        "dateUpdated": "2026-04-22T13:55:11.210Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22021 (GCVE-0-2026-22021)

    Vulnerability from cvelistv5 – Published: 2026-04-21 20:35 – Updated: 2026-04-22 13:58
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.
    • CWE-400 - Uncontrolled Resource Consumption
    Assigner
    References
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle Java SE Affected: 8u481
    Affected: 8u481-b50
    Affected: 8u481-perf
    Affected: 11.0.30
    Affected: 17.0.18
    Affected: 21.0.10
    Affected: 25.0.2
    Affected: 26
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.18
    Affected: 21.0.10
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM Enterprise Edition Affected: 21.3.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22021",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T13:58:16.461640Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T13:58:23.932Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8u481"
                },
                {
                  "status": "affected",
                  "version": "8u481-b50"
                },
                {
                  "status": "affected",
                  "version": "8u481-perf"
                },
                {
                  "status": "affected",
                  "version": "11.0.30"
                },
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                },
                {
                  "status": "affected",
                  "version": "25.0.2"
                },
                {
                  "status": "affected",
                  "version": "26"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.17"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u481:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "b50",
                      "versionStartIncluding": "8u481",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u481:*:*:*:enterprise_performance:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:11.0.30:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25.0.2:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:26:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.17:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).  Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T20:35:12.845Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2026-22021",
        "datePublished": "2026-04-21T20:35:12.845Z",
        "dateReserved": "2026-01-05T18:07:34.731Z",
        "dateUpdated": "2026-04-22T13:58:23.932Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22018 (GCVE-0-2026-22018)

    Vulnerability from cvelistv5 – Published: 2026-04-21 20:35 – Updated: 2026-04-22 14:06
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.
    • CWE-770 - Allocation of Resources Without Limits or Throttling
    Assigner
    References
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle Java SE Affected: 8u481
    Affected: 8u481-b50
    Affected: 8u481-perf
    Affected: 11.0.30
    Affected: 17.0.18
    Affected: 21.0.10
    Affected: 25.0.2
    Affected: 26
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.18
    Affected: 21.0.10
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM Enterprise Edition Affected: 21.3.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22018",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T14:05:52.390108Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-770",
                    "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T14:06:10.533Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8u481"
                },
                {
                  "status": "affected",
                  "version": "8u481-b50"
                },
                {
                  "status": "affected",
                  "version": "8u481-perf"
                },
                {
                  "status": "affected",
                  "version": "11.0.30"
                },
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                },
                {
                  "status": "affected",
                  "version": "25.0.2"
                },
                {
                  "status": "affected",
                  "version": "26"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.17"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u481:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "b50",
                      "versionStartIncluding": "8u481",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u481:*:*:*:enterprise_performance:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:11.0.30:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25.0.2:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:26:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.17:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T20:35:11.445Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2026-22018",
        "datePublished": "2026-04-21T20:35:11.445Z",
        "dateReserved": "2026-01-05T18:07:34.728Z",
        "dateUpdated": "2026-04-22T14:06:10.533Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22016 (GCVE-0-2026-22016)

    Vulnerability from cvelistv5 – Published: 2026-04-21 20:35 – Updated: 2026-06-30 12:06
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    • CWE-502 - Deserialization of Untrusted Data
    • CWE-611 - Improper Restriction of XML External Entity Reference
    Assigner
    References
    URL Tags
    https://www.oracle.com/security-alerts/cpuapr2026.html vendor-advisory
    https://access.redhat.com/security/cve/CVE-2026-22016 vdb-entryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=2460039 issue-trackingx_refsource_REDHAT
    https://security.access.redhat.com/data/csaf/v2/v… x_sadp-csaf-vex
    https://access.redhat.com/errata/RHSA-2026:9682 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9254 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9689 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9693 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9683 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9686 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9256 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9688 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9687 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9691 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9694 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:9684 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11655 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11403 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11902 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11829 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:22328 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:22139 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2026:11822 vendor-advisoryx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle Java SE Affected: 8u481
    Affected: 8u481-b50
    Affected: 8u481-perf
    Affected: 11.0.30
    Affected: 17.0.18
    Affected: 21.0.10
    Affected: 25.0.2
    Affected: 26
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.18
    Affected: 21.0.10
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM Enterprise Edition Affected: 21.3.17
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Server (v. 7 ELS)     cpe:/o:redhat:rhel_els:7
    Create a notification for this product.
    Red Hat Red Hat OpenJDK 11 ELS for RHEL 7     cpe:/a:redhat:openjdk_els:11::el7
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Server Optional (v. 7 ELS)     cpe:/o:redhat:rhel_els:7
    Create a notification for this product.
    Red Hat Red Hat OpenJDK 11 ELS for RHEL 8     cpe:/a:redhat:openjdk_els:11::el8
    Create a notification for this product.
    Red Hat Red Hat OpenJDK 11 ELS for RHEL 9     cpe:/a:redhat:openjdk_els:11::el9
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 10)     cpe:/o:redhat:enterprise_linux:10.1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 8)     cpe:/a:redhat:enterprise_linux:8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream AUS (v. 8.2)     cpe:/a:redhat:rhel_aus:8.2::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream AUS (v.8.4)     cpe:/a:redhat:rhel_aus:8.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)     cpe:/a:redhat:rhel_eus_long_life:8.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream AUS (v.8.6)     cpe:/a:redhat:rhel_aus:8.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.8.6)     cpe:/a:redhat:rhel_e4s:8.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream TUS (v.8.6)     cpe:/a:redhat:rhel_tus:8.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.8.8)     cpe:/a:redhat:rhel_e4s:8.8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream TUS (v.8.8)     cpe:/a:redhat:rhel_tus:8.8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.9.0)     cpe:/a:redhat:rhel_e4s:9.0::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.9.2)     cpe:/a:redhat:rhel_e4s:9.2::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.4)     cpe:/a:redhat:rhel_eus:9.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 9)     cpe:/a:redhat:enterprise_linux:9::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)     cpe:/o:redhat:enterprise_linux:10.1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CRB (v. 8)     cpe:/a:redhat:enterprise_linux:8::crb
    Create a notification for this product.
    Red Hat Red Hat CodeReady Linux Builder EUS (v.9.4)     cpe:/a:redhat:rhel_eus:9.4::crb
    Create a notification for this product.
    Red Hat Red Hat CodeReady Linux Builder EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::crb
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)     cpe:/a:redhat:enterprise_linux:9::crb
    Create a notification for this product.
    Red Hat OPENJDK ELS 11.0.31     cpe:/a:redhat:openjdk_els:11
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 17.0.19     cpe:/a:redhat:openjdk:17
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 17.0.9     cpe:/a:redhat:openjdk:17
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 21.0.11     cpe:/a:redhat:openjdk:21
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 25.0.3     cpe:/a:redhat:openjdk:25
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 8u492     cpe:/a:redhat:openjdk:1.8
    Create a notification for this product.
    Red Hat Red Hat Hardened Images     cpe:/a:redhat:hummingbird:1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Supplementary EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Supplementary EUS (v.10.2)     cpe:/o:redhat:enterprise_linux_eus:10.2
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Supplementary (v. 10)     cpe:/o:redhat:enterprise_linux:10.2
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Supplementary (v. 8)     cpe:/a:redhat:enterprise_linux:8::supplementary
    Create a notification for this product.
    Red Hat Temurin Build of OpenJDK 25.0.3     cpe:/a:redhat:openjdk:25
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22016",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T14:11:15.674948Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-200",
                    "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              },
              {
                "descriptions": [
                  {
                    "cweId": "CWE-502",
                    "description": "CWE-502 Deserialization of Untrusted Data",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T14:12:01.017Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_els:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Server (v. 7 ELS)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11::el7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenJDK 11 ELS for RHEL 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_els:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Server Optional (v. 7 ELS)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenJDK 11 ELS for RHEL 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenJDK 11 ELS for RHEL 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_aus:8.2::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_aus:8.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream AUS (v.8.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus_long_life:8.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_aus:8.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream AUS (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:8.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_tus:8.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream TUS (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:8.8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_tus:8.8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:9.0::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:9.2::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 9)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CRB (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.4::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat CodeReady Linux Builder EUS (v.9.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.6::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11"
                ],
                "defaultStatus": "affected",
                "product": "OPENJDK ELS 11.0.31",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:17"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 17.0.19",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:17"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 17.0.9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:21"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 21.0.11",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:25"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 25.0.3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:1.8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 8u492",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:hummingbird:1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Hardened Images",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Supplementary EUS (v. 10.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Supplementary EUS (v.10.2)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.2"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Supplementary (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8::supplementary"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Supplementary (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:25"
                ],
                "defaultStatus": "affected",
                "product": "Temurin Build of OpenJDK 25.0.3",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:6"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 7",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-04-21T20:00:00.000Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP).  Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-611",
                    "description": "Improper Restriction of XML External Entity Reference",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:06:48.107Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-22016"
              },
              {
                "name": "RHBZ#2460039",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460039"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-22016.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9682"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9254"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9689"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9693"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9683"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9686"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9256"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9688"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9687"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9691"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9694"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:9684"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11655"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11403"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11902"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11829"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:22328"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:22139"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:11822"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:9682: Red Hat Enterprise Linux Server (v. 7 ELS), Red Hat Enterprise Linux Server Optional (v. 7 ELS)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9254: Red Hat OpenJDK 11 ELS for RHEL 7, Red Hat OpenJDK 11 ELS for RHEL 8, Red Hat OpenJDK 11 ELS for RHEL 9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9689: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux CRB (v. 8), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9693: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9683: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux AppStream AUS (v. 8.2), Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream E4S (v.9.0), Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4), Red Hat Enterprise Linux AppStream TUS (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.8), Red Hat Enterprise Linux CRB (v. 8), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9686: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream E4S (v.9.0), Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4), Red Hat Enterprise Linux AppStream TUS (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.8), Red Hat Enterprise Linux CRB (v. 8), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9256: OPENJDK ELS 11.0.31"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9688: Red Hat Build of OpenJDK 17.0.19"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9687: Red Hat Build of OpenJDK 17.0.9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9691: Red Hat Build of OpenJDK 21.0.11"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9694: Red Hat Build of OpenJDK 25.0.3"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:9684: Red Hat Build of OpenJDK 8u492"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11655: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11403: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11902: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11829: Red Hat Hardened Images"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:22328: Red Hat Enterprise Linux Supplementary (v. 10), Red Hat Enterprise Linux Supplementary EUS (v. 10.0), Red Hat Enterprise Linux Supplementary EUS (v.10.2)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:22139: Red Hat Enterprise Linux Supplementary (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:11822: Temurin Build of OpenJDK 25.0.3"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-04-21T00:00:00.000Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-04-21T20:00:00.000Z",
                "value": "Made public."
              }
            ],
            "title": "openjdk: Enhance Path Factories Redux (Oracle CPU 2026-04)",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8u481"
                },
                {
                  "status": "affected",
                  "version": "8u481-b50"
                },
                {
                  "status": "affected",
                  "version": "8u481-perf"
                },
                {
                  "status": "affected",
                  "version": "11.0.30"
                },
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                },
                {
                  "status": "affected",
                  "version": "25.0.2"
                },
                {
                  "status": "affected",
                  "version": "26"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.17"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u481:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "b50",
                      "versionStartIncluding": "8u481",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u481:*:*:*:enterprise_performance:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:11.0.30:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25.0.2:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:26:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.17:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP).  Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T20:35:10.242Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2026-22016",
        "datePublished": "2026-04-21T20:35:10.242Z",
        "dateReserved": "2026-01-05T18:07:34.728Z",
        "dateUpdated": "2026-06-30T12:06:48.107Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22013 (GCVE-0-2026-22013)

    Vulnerability from cvelistv5 – Published: 2026-04-21 20:35 – Updated: 2026-04-22 14:09
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
    • CWE-693 - Protection Mechanism Failure
    Assigner
    References
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle Java SE Affected: 8u481
    Affected: 8u481-b50
    Affected: 8u481-perf
    Affected: 11.0.30
    Affected: 17.0.18
    Affected: 21.0.10
    Affected: 25.0.2
    Affected: 26
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.18
    Affected: 21.0.10
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM Enterprise Edition Affected: 21.3.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22013",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T14:09:34.920958Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-693",
                    "description": "CWE-693 Protection Mechanism Failure",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T14:09:54.302Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8u481"
                },
                {
                  "status": "affected",
                  "version": "8u481-b50"
                },
                {
                  "status": "affected",
                  "version": "8u481-perf"
                },
                {
                  "status": "affected",
                  "version": "11.0.30"
                },
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                },
                {
                  "status": "affected",
                  "version": "25.0.2"
                },
                {
                  "status": "affected",
                  "version": "26"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.17"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u481:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "b50",
                      "versionStartIncluding": "8u481",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u481:*:*:*:enterprise_performance:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:11.0.30:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25.0.2:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:26:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.17:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS).  Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T20:35:08.836Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2026-22013",
        "datePublished": "2026-04-21T20:35:08.836Z",
        "dateReserved": "2026-01-05T18:07:34.727Z",
        "dateUpdated": "2026-04-22T14:09:54.302Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-22007 (GCVE-0-2026-22007)

    Vulnerability from cvelistv5 – Published: 2026-04-21 20:35 – Updated: 2026-04-22 14:05
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 2.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle Java SE Affected: 8u481
    Affected: 8u481-b50
    Affected: 8u481-perf
    Affected: 11.0.30
    Affected: 17.0.18
    Affected: 21.0.10
    Affected: 25.0.2
    Affected: 26
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.18
    Affected: 21.0.10
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM Enterprise Edition Affected: 21.3.17
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-22007",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-22T14:05:16.229810Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-200",
                    "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-22T14:05:28.424Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8u481"
                },
                {
                  "status": "affected",
                  "version": "8u481-b50"
                },
                {
                  "status": "affected",
                  "version": "8u481-perf"
                },
                {
                  "status": "affected",
                  "version": "11.0.30"
                },
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                },
                {
                  "status": "affected",
                  "version": "25.0.2"
                },
                {
                  "status": "affected",
                  "version": "26"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.18"
                },
                {
                  "status": "affected",
                  "version": "21.0.10"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.17"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u481:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "b50",
                      "versionStartIncluding": "8u481",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u481:*:*:*:enterprise_performance:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:11.0.30:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25.0.2:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:26:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.18:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.10:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.17:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 2.9 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 2.9,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-21T20:35:04.885Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2026-22007",
        "datePublished": "2026-04-21T20:35:04.885Z",
        "dateReserved": "2026-01-05T18:07:34.726Z",
        "dateUpdated": "2026-04-22T14:05:28.424Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21945 (GCVE-0-2026-21945)

    Vulnerability from cvelistv5 – Published: 2026-01-20 21:56 – Updated: 2026-06-30 12:06
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.
    • CWE-400 - Uncontrolled Resource Consumption
    • CWE-295 - Improper Certificate Validation
    Assigner
    References
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle Java SE Affected: 8u471
    Affected: 8u471-b50
    Affected: 8u471-perf
    Affected: 11.0.29
    Affected: 17.0.17
    Affected: 21.0.9
    Affected: 25.0.1
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.17
    Affected: 21.0.9
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM Enterprise Edition Affected: 21.3.16
    Create a notification for this product.
    Siemens SIMATIC CN 4100 Affected: 0 , < V5.0 (custom)
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Server (v. 7 ELS)     cpe:/o:redhat:rhel_els:7
    Create a notification for this product.
    Red Hat Red Hat OpenJDK 11 ELS for RHEL 7     cpe:/a:redhat:openjdk_els:11::el7
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Server Optional (v. 7 ELS)     cpe:/o:redhat:rhel_els:7
    Create a notification for this product.
    Red Hat Red Hat OpenJDK 11 ELS for RHEL 8     cpe:/a:redhat:openjdk_els:11::el8
    Create a notification for this product.
    Red Hat Red Hat OpenJDK 11 ELS for RHEL 9     cpe:/a:redhat:openjdk_els:11::el9
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 10)     cpe:/o:redhat:enterprise_linux:10.1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 8)     cpe:/a:redhat:enterprise_linux:8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream AUS (v. 8.2)     cpe:/a:redhat:rhel_aus:8.2::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream AUS (v.8.4)     cpe:/a:redhat:rhel_aus:8.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)     cpe:/a:redhat:rhel_eus_long_life:8.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream AUS (v.8.6)     cpe:/a:redhat:rhel_aus:8.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.8.6)     cpe:/a:redhat:rhel_e4s:8.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream TUS (v.8.6)     cpe:/a:redhat:rhel_tus:8.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.8.8)     cpe:/a:redhat:rhel_e4s:8.8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream TUS (v.8.8)     cpe:/a:redhat:rhel_tus:8.8::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.9.0)     cpe:/a:redhat:rhel_e4s:9.0::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream E4S (v.9.2)     cpe:/a:redhat:rhel_e4s:9.2::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.4)     cpe:/a:redhat:rhel_eus:9.4::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux AppStream (v. 9)     cpe:/a:redhat:enterprise_linux:9::appstream
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)     cpe:/o:redhat:enterprise_linux_eus:10.0
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)     cpe:/o:redhat:enterprise_linux:10.1
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CRB (v. 8)     cpe:/a:redhat:enterprise_linux:8::crb
    Create a notification for this product.
    Red Hat Red Hat CodeReady Linux Builder EUS (v.9.4)     cpe:/a:redhat:rhel_eus:9.4::crb
    Create a notification for this product.
    Red Hat Red Hat CodeReady Linux Builder EUS (v.9.6)     cpe:/a:redhat:rhel_eus:9.6::crb
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)     cpe:/a:redhat:enterprise_linux:9::crb
    Create a notification for this product.
    Red Hat OPENJDK ELS 11.0.30     cpe:/a:redhat:openjdk_els:11
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 17.0.18     cpe:/a:redhat:openjdk:17
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 21.0.10     cpe:/a:redhat:openjdk:21
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 25.0.2     cpe:/a:redhat:openjdk:25
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 8u482     cpe:/a:redhat:openjdk:1.8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux Supplementary (v. 8)     cpe:/a:redhat:enterprise_linux:8::supplementary
    Create a notification for this product.
    Red Hat Temurin Build of OpenJDK 25.0.2     cpe:/a:redhat:openjdk:25
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 10     cpe:/o:redhat:enterprise_linux:10
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21945",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-21T15:04:39.899042Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-400",
                    "description": "CWE-400 Uncontrolled Resource Consumption",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-21T15:05:36.940Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC CN 4100",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "V5.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T12:08:51.450Z",
              "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
              "shortName": "siemens-SADP"
            },
            "references": [
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
              }
            ],
            "x_adpType": "supplier"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_els:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Server (v. 7 ELS)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11::el7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenJDK 11 ELS for RHEL 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:rhel_els:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Server Optional (v. 7 ELS)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11::el8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenJDK 11 ELS for RHEL 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11::el9"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat OpenJDK 11 ELS for RHEL 9",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_aus:8.2::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream AUS (v. 8.2)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_aus:8.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream AUS (v.8.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus_long_life:8.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_aus:8.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream AUS (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:8.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_tus:8.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream TUS (v.8.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:8.8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.8.8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_tus:8.8::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream TUS (v.8.8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:9.0::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.9.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_e4s:9.2::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.4::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v.9.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.6::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9::appstream"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux AppStream (v. 9)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux_eus:10.0"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10.1"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CRB (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.4::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat CodeReady Linux Builder EUS (v.9.4)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:rhel_eus:9.6::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat CodeReady Linux Builder EUS (v.9.6)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:9::crb"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11"
                ],
                "defaultStatus": "affected",
                "product": "OPENJDK ELS 11.0.30",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:17"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 17.0.18",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:21"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 21.0.10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:25"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 25.0.2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:1.8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 8u482",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:enterprise_linux:8::supplementary"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux Supplementary (v. 8)",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:25"
                ],
                "defaultStatus": "affected",
                "product": "Temurin Build of OpenJDK 25.0.2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:6"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 7",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-01-20T21:21:00.000Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and  21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-295",
                    "description": "Improper Certificate Validation",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:06:26.782Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-21945"
              },
              {
                "name": "RHBZ#2429927",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2429927"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21945.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0931"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0847"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0928"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0933"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0932"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0927"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0848"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0897"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0899"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0901"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0895"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:4832"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:1606"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:0931: Red Hat Enterprise Linux Server (v. 7 ELS), Red Hat Enterprise Linux Server Optional (v. 7 ELS)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:0847: Red Hat OpenJDK 11 ELS for RHEL 7, Red Hat OpenJDK 11 ELS for RHEL 8, Red Hat OpenJDK 11 ELS for RHEL 9"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:0928: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux CRB (v. 8), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:0933: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:0932: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux AppStream AUS (v. 8.2), Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream E4S (v.9.0), Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4), Red Hat Enterprise Linux AppStream TUS (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.8), Red Hat Enterprise Linux CRB (v. 8), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:0927: Red Hat CodeReady Linux Builder EUS (v.9.4), Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.6), Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream E4S (v.9.0), Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux AppStream EUS (v.9.4), Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4), Red Hat Enterprise Linux AppStream TUS (v.8.6), Red Hat Enterprise Linux AppStream TUS (v.8.8), Red Hat Enterprise Linux CRB (v. 8), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:0848: OPENJDK ELS 11.0.30"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:0897: Red Hat Build of OpenJDK 17.0.18"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:0899: Red Hat Build of OpenJDK 21.0.10"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:0901: Red Hat Build of OpenJDK 25.0.2"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:0895: Red Hat Build of OpenJDK 8u482"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:4832: Red Hat Enterprise Linux Supplementary (v. 8)"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:1606: Temurin Build of OpenJDK 25.0.2"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-01-15T12:05:58.026Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-01-20T21:21:00.000Z",
                "value": "Made public."
              }
            ],
            "title": "openjdk: Enhance Certificate Checking (Oracle CPU 2026-01)",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8u471"
                },
                {
                  "status": "affected",
                  "version": "8u471-b50"
                },
                {
                  "status": "affected",
                  "version": "8u471-perf"
                },
                {
                  "status": "affected",
                  "version": "11.0.29"
                },
                {
                  "status": "affected",
                  "version": "17.0.17"
                },
                {
                  "status": "affected",
                  "version": "21.0.9"
                },
                {
                  "status": "affected",
                  "version": "25.0.1"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.17"
                },
                {
                  "status": "affected",
                  "version": "21.0.9"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.16"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u471:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "b50",
                      "versionStartIncluding": "8u471",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u471:*:*:*:enterprise_performance:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:11.0.29:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:17.0.17:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.9:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25.0.1:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.17:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.9:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.16:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and  21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-20T21:56:27.997Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2026.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2026-21945",
        "datePublished": "2026-01-20T21:56:27.997Z",
        "dateReserved": "2026-01-05T18:07:34.712Z",
        "dateUpdated": "2026-06-30T12:06:26.782Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21933 (GCVE-0-2026-21933)

    Vulnerability from cvelistv5 – Published: 2026-01-20 21:56 – Updated: 2026-05-12 12:08
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
    • CWE-noinfo Not enough information
    Assigner
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle Java SE Affected: 8u471
    Affected: 8u471-b50
    Affected: 8u471-perf
    Affected: 11.0.29
    Affected: 17.0.17
    Affected: 21.0.9
    Affected: 25.0.1
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.17
    Affected: 21.0.9
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM Enterprise Edition Affected: 21.3.16
    Create a notification for this product.
    Siemens SIMATIC CN 4100 Affected: 0 , < V5.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21933",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-21T20:56:13.969343Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "description": "CWE-noinfo Not enough information",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-21T20:56:25.029Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC CN 4100",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "V5.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T12:08:50.255Z",
              "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
              "shortName": "siemens-SADP"
            },
            "references": [
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
              }
            ],
            "x_adpType": "supplier"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8u471"
                },
                {
                  "status": "affected",
                  "version": "8u471-b50"
                },
                {
                  "status": "affected",
                  "version": "8u471-perf"
                },
                {
                  "status": "affected",
                  "version": "11.0.29"
                },
                {
                  "status": "affected",
                  "version": "17.0.17"
                },
                {
                  "status": "affected",
                  "version": "21.0.9"
                },
                {
                  "status": "affected",
                  "version": "25.0.1"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.17"
                },
                {
                  "status": "affected",
                  "version": "21.0.9"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.16"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u471:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "b50",
                      "versionStartIncluding": "8u471",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u471:*:*:*:enterprise_performance:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:11.0.29:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:17.0.17:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.9:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25.0.1:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.17:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.9:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.16:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking).  Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and  21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-20T21:56:24.083Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2026.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2026-21933",
        "datePublished": "2026-01-20T21:56:24.083Z",
        "dateReserved": "2026-01-05T18:07:34.709Z",
        "dateUpdated": "2026-05-12T12:08:50.255Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21932 (GCVE-0-2026-21932)

    Vulnerability from cvelistv5 – Published: 2026-01-20 21:56 – Updated: 2026-06-30 12:06
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
    • CWE-noinfo Not enough information
    • CWE-1287 - Improper Validation of Specified Type of Input
    Assigner
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle Java SE Affected: 8u471
    Affected: 8u471-b50
    Affected: 8u471-perf
    Affected: 11.0.29
    Affected: 17.0.17
    Affected: 21.0.9
    Affected: 25.0.1
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.17
    Affected: 21.0.9
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM Enterprise Edition Affected: 21.3.16
    Create a notification for this product.
    Siemens SIMATIC CN 4100 Affected: 0 , < V5.0 (custom)
    Create a notification for this product.
    Red Hat OPENJDK ELS 11.0.30     cpe:/a:redhat:openjdk_els:11
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 17.0.18     cpe:/a:redhat:openjdk:17
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 21.0.10     cpe:/a:redhat:openjdk:21
    Create a notification for this product.
    Red Hat Red Hat Build of OpenJDK 8u482     cpe:/a:redhat:openjdk:1.8
    Create a notification for this product.
    Red Hat Temurin Build of OpenJDK 25.0.2     cpe:/a:redhat:openjdk:25
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 6     cpe:/o:redhat:enterprise_linux:6
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 7     cpe:/o:redhat:enterprise_linux:7
    Create a notification for this product.
    Red Hat Red Hat build of OpenJDK 1.8     cpe:/a:redhat:openjdk:1.8
    Create a notification for this product.
    Red Hat Red Hat build of OpenJDK 11 ELS     cpe:/a:redhat:openjdk_els:11
    Create a notification for this product.
    Red Hat Red Hat build of OpenJDK 17     cpe:/a:redhat:openjdk:17
    Create a notification for this product.
    Red Hat Red Hat build of OpenJDK 21     cpe:/a:redhat:openjdk:21
    Create a notification for this product.
    Red Hat Red Hat build of OpenJDK 25     cpe:/a:redhat:openjdk:25
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 10     cpe:/o:redhat:enterprise_linux:10
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
    Create a notification for this product.
    Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21932",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-21T20:55:36.680427Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "description": "CWE-noinfo Not enough information",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-21T20:55:54.335Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC CN 4100",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "V5.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T12:08:49.052Z",
              "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
              "shortName": "siemens-SADP"
            },
            "references": [
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
              }
            ],
            "x_adpType": "supplier"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11"
                ],
                "defaultStatus": "affected",
                "product": "OPENJDK ELS 11.0.30",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:17"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 17.0.18",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:21"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 21.0.10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:1.8"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Build of OpenJDK 8u482",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:25"
                ],
                "defaultStatus": "affected",
                "product": "Temurin Build of OpenJDK 25.0.2",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:6"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 6",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:7"
                ],
                "defaultStatus": "affected",
                "product": "Red Hat Enterprise Linux 7",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:1.8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of OpenJDK 1.8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk_els:11"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of OpenJDK 11 ELS",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:17"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of OpenJDK 17",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:21"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of OpenJDK 21",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/a:redhat:openjdk:25"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat build of OpenJDK 25",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:10"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 10",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:8"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 8",
                "vendor": "Red Hat"
              },
              {
                "cpes": [
                  "cpe:/o:redhat:enterprise_linux:9"
                ],
                "defaultStatus": "unaffected",
                "product": "Red Hat Enterprise Linux 9",
                "vendor": "Red Hat"
              }
            ],
            "datePublic": "2026-01-20T21:21:00.000Z",
            "descriptions": [
              {
                "lang": "en",
                "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX).  Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and  21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)."
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "namespace": "https://access.redhat.com/security/updates/classification/",
                    "value": "Important"
                  },
                  "type": "Red Hat severity rating"
                }
              },
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.4,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "REQUIRED",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
                  "version": "3.1"
                },
                "format": "CVSS"
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-1287",
                    "description": "Improper Validation of Specified Type of Input",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-30T12:06:27.072Z",
              "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
              "shortName": "redhat-SADP"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/security/cve/CVE-2026-21932"
              },
              {
                "name": "RHBZ#2429925",
                "tags": [
                  "issue-tracking",
                  "x_refsource_REDHAT"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2429925"
              },
              {
                "tags": [
                  "x_sadp-csaf-vex"
                ],
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21932.json"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0849"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0898"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0900"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:0896"
              },
              {
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2026:1606"
              }
            ],
            "solutions": [
              {
                "lang": "en",
                "value": "RHSA-2026:0849: OPENJDK ELS 11.0.30"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:0898: Red Hat Build of OpenJDK 17.0.18"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:0900: Red Hat Build of OpenJDK 21.0.10"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:0896: Red Hat Build of OpenJDK 8u482"
              },
              {
                "lang": "en",
                "value": "RHSA-2026:1606: Temurin Build of OpenJDK 25.0.2"
              }
            ],
            "timeline": [
              {
                "lang": "en",
                "time": "2026-01-15T12:01:50.512Z",
                "value": "Reported to Red Hat."
              },
              {
                "lang": "en",
                "time": "2026-01-20T21:21:00.000Z",
                "value": "Made public."
              }
            ],
            "title": "openjdk: Enhance Handling of URIs (Oracle CPU 2026-01)",
            "x_adpType": "supplier",
            "x_generator": {
              "engine": "sadp-cli 1.0.0"
            }
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8u471"
                },
                {
                  "status": "affected",
                  "version": "8u471-b50"
                },
                {
                  "status": "affected",
                  "version": "8u471-perf"
                },
                {
                  "status": "affected",
                  "version": "11.0.29"
                },
                {
                  "status": "affected",
                  "version": "17.0.17"
                },
                {
                  "status": "affected",
                  "version": "21.0.9"
                },
                {
                  "status": "affected",
                  "version": "25.0.1"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.17"
                },
                {
                  "status": "affected",
                  "version": "21.0.9"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.16"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u471:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "b50",
                      "versionStartIncluding": "8u471",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u471:*:*:*:enterprise_performance:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:11.0.29:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:17.0.17:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.9:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25.0.1:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.17:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.9:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.16:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX).  Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and  21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-20T21:56:23.742Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2026.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2026-21932",
        "datePublished": "2026-01-20T21:56:23.742Z",
        "dateReserved": "2026-01-05T18:07:34.709Z",
        "dateUpdated": "2026-06-30T12:06:27.072Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-21925 (GCVE-0-2026-21925)

    Vulnerability from cvelistv5 – Published: 2026-01-20 21:56 – Updated: 2026-05-12 12:08
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
    • CWE-noinfo Not enough information
    Assigner
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle Java SE Affected: 8u471
    Affected: 8u471-b50
    Affected: 8u471-perf
    Affected: 11.0.29
    Affected: 17.0.17
    Affected: 21.0.9
    Affected: 25.0.1
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.17
    Affected: 21.0.9
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM Enterprise Edition Affected: 21.3.16
    Create a notification for this product.
    Siemens SIMATIC CN 4100 Affected: 0 , < V5.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-21925",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-21T20:50:27.654836Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "description": "CWE-noinfo Not enough information",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-21T20:51:07.046Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC CN 4100",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "V5.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T12:08:47.916Z",
              "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
              "shortName": "siemens-SADP"
            },
            "references": [
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
              }
            ],
            "x_adpType": "supplier"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8u471"
                },
                {
                  "status": "affected",
                  "version": "8u471-b50"
                },
                {
                  "status": "affected",
                  "version": "8u471-perf"
                },
                {
                  "status": "affected",
                  "version": "11.0.29"
                },
                {
                  "status": "affected",
                  "version": "17.0.17"
                },
                {
                  "status": "affected",
                  "version": "21.0.9"
                },
                {
                  "status": "affected",
                  "version": "25.0.1"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.17"
                },
                {
                  "status": "affected",
                  "version": "21.0.9"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.16"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u471:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*",
                      "versionEndIncluding": "b50",
                      "versionStartIncluding": "8u471",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u471:*:*:*:enterprise_performance:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:11.0.29:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:17.0.17:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.9:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25.0.1:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.17:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.9:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.16:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI).  Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and  21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as  unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-20T21:56:21.058Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpujan2026.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2026-21925",
        "datePublished": "2026-01-20T21:56:21.058Z",
        "dateReserved": "2026-01-05T18:07:34.708Z",
        "dateUpdated": "2026-05-12T12:08:47.916Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-61755 (GCVE-0-2025-61755)

    Vulnerability from cvelistv5 – Published: 2025-10-21 20:03 – Updated: 2025-10-22 18:15
    VLAI
    Summary
    Vulnerability in the Oracle GraalVM for JDK product of Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle GraalVM for JDK: 17.0.16 and 21.0.8. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle GraalVM for JDK accessible data. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle GraalVM for JDK accessible data.
    • CWE-862 - Missing Authorization
    Assigner
    References
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.16
    Affected: 21.0.8
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-61755",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-22T18:11:21.523044Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-862",
                    "description": "CWE-862 Missing Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-22T18:15:40.100Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.16"
                },
                {
                  "status": "affected",
                  "version": "21.0.8"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.16:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.8:*:*:*:*:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle GraalVM for JDK product of Oracle Java SE (component: Compiler).  Supported versions that are affected are Oracle GraalVM for JDK: 17.0.16 and  21.0.8. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle GraalVM for JDK accessible data. CVSS 3.1 Base Score 3.7 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM for JDK.  Successful attacks of this vulnerability can result in  unauthorized read access to a subset of Oracle GraalVM for JDK accessible data.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-21T20:03:10.637Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2025.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2025-61755",
        "datePublished": "2025-10-21T20:03:10.637Z",
        "dateReserved": "2025-09-30T19:21:55.556Z",
        "dateUpdated": "2025-10-22T18:15:40.100Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-61748 (GCVE-0-2025-61748)

    Vulnerability from cvelistv5 – Published: 2025-10-21 20:03 – Updated: 2026-05-12 12:08
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 21.0.8 and 25; Oracle GraalVM for JDK: 21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
    • CWE-284 - Improper Access Control
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-61748",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-22T16:58:40.661275Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-284",
                    "description": "CWE-284 Improper Access Control",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-22T18:23:18.544Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "affected": [
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC CN 4100",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "V5.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T12:08:32.586Z",
              "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
              "shortName": "siemens-SADP"
            },
            "references": [
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
              }
            ],
            "x_adpType": "supplier"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.0.8"
                },
                {
                  "status": "affected",
                  "version": "25"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.0.8"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.15"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.8:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.8:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.15:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries).  Supported versions that are affected are Oracle Java SE: 21.0.8 and  25; Oracle GraalVM for JDK: 21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-21T20:03:08.113Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2025.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2025-61748",
        "datePublished": "2025-10-21T20:03:08.113Z",
        "dateReserved": "2025-09-30T19:21:55.554Z",
        "dateUpdated": "2026-05-12T12:08:32.586Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-53066 (GCVE-0-2025-53066)

    Vulnerability from cvelistv5 – Published: 2025-10-21 20:03 – Updated: 2026-05-12 12:08
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and 21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle Java SE Affected: 8u461
    Affected: 8u461-perf
    Affected: 11.0.28
    Affected: 17.0.16
    Affected: 21.0.8
    Affected: 25
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.16
    Affected: 21.0.8
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM Enterprise Edition Affected: 21.3.15
    Create a notification for this product.
    Siemens SIMATIC CN 4100 Affected: 0 , < V5.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53066",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-22T19:44:34.911215Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-200",
                    "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-22T19:45:23.775Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T17:44:58.069Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00026.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC CN 4100",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "V5.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T12:08:23.779Z",
              "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
              "shortName": "siemens-SADP"
            },
            "references": [
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
              }
            ],
            "x_adpType": "supplier"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8u461"
                },
                {
                  "status": "affected",
                  "version": "8u461-perf"
                },
                {
                  "status": "affected",
                  "version": "11.0.28"
                },
                {
                  "status": "affected",
                  "version": "17.0.16"
                },
                {
                  "status": "affected",
                  "version": "21.0.8"
                },
                {
                  "status": "affected",
                  "version": "25"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.16"
                },
                {
                  "status": "affected",
                  "version": "21.0.8"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.15"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u461:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u461:*:*:*:enterprise_performance:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:11.0.28:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:17.0.16:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.8:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.16:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.8:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.15:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP).  Supported versions that are affected are Oracle Java SE: 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and  21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-21T20:03:05.284Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2025.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2025-53066",
        "datePublished": "2025-10-21T20:03:05.284Z",
        "dateReserved": "2025-06-24T16:45:19.424Z",
        "dateUpdated": "2026-05-12T12:08:23.779Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-53057 (GCVE-0-2025-53057)

    Vulnerability from cvelistv5 – Published: 2025-10-21 20:03 – Updated: 2026-05-12 12:08
    VLAI
    Summary
    Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and 21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
    • CWE-284 - Improper Access Control
    Assigner
    Impacted products
    Vendor Product Version
    Oracle Corporation Oracle Java SE Affected: 8u461
    Affected: 8u461-perf
    Affected: 11.0.28
    Affected: 17.0.16
    Affected: 21.0.8
    Affected: 25
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM for JDK Affected: 17.0.16
    Affected: 21.0.8
    Create a notification for this product.
    Oracle Corporation Oracle GraalVM Enterprise Edition Affected: 21.3.15
    Create a notification for this product.
    Siemens SIMATIC CN 4100 Affected: 0 , < V5.0 (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-53057",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-10-22T14:46:38.744889Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-284",
                    "description": "CWE-284 Improper Access Control",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-10-22T14:47:54.864Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2025-11-03T17:44:57.058Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00026.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "defaultStatus": "unknown",
                "product": "SIMATIC CN 4100",
                "vendor": "Siemens",
                "versions": [
                  {
                    "lessThan": "V5.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T12:08:22.628Z",
              "orgId": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
              "shortName": "siemens-SADP"
            },
            "references": [
              {
                "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
              }
            ],
            "x_adpType": "supplier"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Oracle Java SE",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "8u461"
                },
                {
                  "status": "affected",
                  "version": "8u461-perf"
                },
                {
                  "status": "affected",
                  "version": "11.0.28"
                },
                {
                  "status": "affected",
                  "version": "17.0.16"
                },
                {
                  "status": "affected",
                  "version": "21.0.8"
                },
                {
                  "status": "affected",
                  "version": "25"
                }
              ]
            },
            {
              "product": "Oracle GraalVM for JDK",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "17.0.16"
                },
                {
                  "status": "affected",
                  "version": "21.0.8"
                }
              ]
            },
            {
              "product": "Oracle GraalVM Enterprise Edition",
              "vendor": "Oracle Corporation",
              "versions": [
                {
                  "status": "affected",
                  "version": "21.3.15"
                }
              ]
            }
          ],
          "cpeApplicability": [
            {
              "nodes": [
                {
                  "cpeMatch": [
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u461:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:8u461:*:*:*:enterprise_performance:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:11.0.28:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:17.0.16:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:21.0.8:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:java_se:25:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.16:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.8:*:*:*:*:*:*:*",
                      "vulnerable": true
                    },
                    {
                      "criteria": "cpe:2.3:a:oracle:graalvm:21.3.15:*:*:*:enterprise:*:*:*",
                      "vulnerable": true
                    }
                  ],
                  "negate": false,
                  "operator": "OR"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en-US",
              "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).  Supported versions that are affected are Oracle Java SE: 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and  21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful attacks of this vulnerability can result in  unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.",
                  "lang": "en-US"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-21T20:03:01.717Z",
            "orgId": "43595867-4340-4103-b7a2-9a5208d29a85",
            "shortName": "oracle"
          },
          "references": [
            {
              "name": "Oracle Advisory",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.oracle.com/security-alerts/cpuoct2025.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85",
        "assignerShortName": "oracle",
        "cveId": "CVE-2025-53057",
        "datePublished": "2025-10-21T20:03:01.717Z",
        "dateReserved": "2025-06-24T16:45:19.423Z",
        "dateUpdated": "2026-05-12T12:08:22.628Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }