Description
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
Published: 2026-01-20
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Modification and Disclosure
Action: Patch
AI Analysis

Impact

The flaw resides in the remote method invocation (RMI) component of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. An unauthenticated attacker that can reach the JVM over the network can execute privileged operations via JMX or RMI, enabling the attacker to read, insert, update, or delete data accessible through these interfaces. The weakness is classified as CWE-322, an authentication bypass that compromises confidentiality and integrity of application data.

Affected Systems

Affected versions include Oracle Java SE 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, and 25.0.1; Oracle GraalVM for JDK 17.0.17 and 21.0.9; and Oracle GraalVM Enterprise Edition 21.3.16. Red Hat OpenJDK Enterprise Linux Service 11 deployments on EL7, EL8, and EL9 may also be vulnerable due to bundled Java runtimes.

Risk and Exploitability

CVSS v3.1 base score of 4.8 reflects moderate severity with low confidentiality and integrity impact and no availability effect. The EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw over the network via exposed RMI or JMX interfaces; no authentication or privilege elevation is required. Because the vulnerability is described as difficult to exploit, a non-trivial threat model is implied, but the overall risk remains moderate.

Generated by OpenCVE AI on April 18, 2026 at 15:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Oracle Java SE, Oracle GraalVM for JDK, or Oracle GraalVM Enterprise Edition to the latest release that includes the RMI fix, following Oracle’s security advisory.
  • While awaiting a patch, bind the JMX connector or RMI service to localhost, disable external JMX, or enforce firewall rules to block access to the default RMI port (typically 1099).
  • Continuously monitor for anomalous remote calls or outbound traffic that may indicate exploitation and disable unnecessary remote interfaces in production environments.

Generated by OpenCVE AI on April 18, 2026 at 15:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4456-1 openjdk-17 security update
Debian DLA Debian DLA DLA-4457-1 openjdk-11 security update
Debian DSA Debian DSA DSA-6110-1 openjdk-17 security update
Debian DSA Debian DSA DSA-6112-1 openjdk-21 security update
Debian DSA Debian DSA DSA-6119-1 openjdk-25 security update
Ubuntu USN Ubuntu USN USN-7995-1 OpenJDK 25 vulnerabilities
Ubuntu USN Ubuntu USN USN-7996-1 CRaC JDK 25 vulnerabilities
Ubuntu USN Ubuntu USN USN-7997-1 CRaC JDK 17 vulnerabilities
Ubuntu USN Ubuntu USN USN-7998-1 OpenJDK 17 vulnerabilities
Ubuntu USN Ubuntu USN USN-8000-1 OpenJDK 8 vulnerabilities
Ubuntu USN Ubuntu USN USN-8001-1 OpenJDK 11 vulnerabilities
Ubuntu USN Ubuntu USN USN-8002-1 OpenJDK 21 vulnerabilities
Ubuntu USN Ubuntu USN USN-8003-1 CRaC JDK 21 vulnerabilities
History

Fri, 30 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Oracle jdk
Oracle jre
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:oracle:jdk:1.8.0:update471:*:*:-:*:*:*
cpe:2.3:a:oracle:jdk:1.8.0:update471:*:*:enterprise_performance_pack:*:*:*
cpe:2.3:a:oracle:jdk:1.8.0:update471_b50:*:*:-:*:*:*
cpe:2.3:a:oracle:jdk:11.0.29:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:17.0.17:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:21.0.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:25.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.8.0:update471:*:*:-:*:*:*
cpe:2.3:a:oracle:jre:1.8.0:update471:*:*:enterprise_performance_pack:*:*:*
cpe:2.3:a:oracle:jre:1.8.0:update471_b50:*:*:-:*:*:*
cpe:2.3:a:oracle:jre:11.0.29:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:17.0.17:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:21.0.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:25.0.1:*:*:*:*:*:*:*
Vendors & Products Oracle jdk
Oracle jre

Thu, 22 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Title openjdk: Improve JMX connections (Oracle CPU 2026-01)
First Time appeared Redhat
Redhat openjdk Els
Weaknesses CWE-322
CPEs cpe:/a:redhat:openjdk_els:11
cpe:/a:redhat:openjdk_els:11::el7
cpe:/a:redhat:openjdk_els:11::el8
cpe:/a:redhat:openjdk_els:11::el9
Vendors & Products Redhat
Redhat openjdk Els
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 21 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
First Time appeared Oracle
Oracle graalvm
Oracle graalvm For Jdk
Oracle java Se
CPEs cpe:2.3:a:oracle:graalvm:21.3.16:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm_for_jdk:17.0.17:*:*:*:*:*:*:*
cpe:2.3:a:oracle:graalvm_for_jdk:21.0.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:11.0.29:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:17.0.17:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:21.0.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:25.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:8u471:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:8u471:*:*:*:enterprise_performance:*:*:*
Vendors & Products Oracle
Oracle graalvm
Oracle graalvm For Jdk
Oracle java Se
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Oracle Graalvm Graalvm For Jdk Java Se Jdk Jre
Redhat Openjdk Els
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-01-21T20:51:07.046Z

Reserved: 2026-01-05T18:07:34.708Z

Link: CVE-2026-21925

cve-icon Vulnrichment

Updated: 2026-01-21T20:50:35.842Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T22:15:54.917

Modified: 2026-01-30T16:11:07.073

Link: CVE-2026-21925

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-20T21:21:00Z

Links: CVE-2026-21925 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:45:04Z

Weaknesses