Description
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N).
Published: 2026-01-20
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of critical data
Action: Immediate Patch
AI Analysis

Impact

A vulnerability exists in the handling of URIs within Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition affecting components such as AWT and JavaFX. When a sandboxed Java Web Start application or applet loads and executes untrusted code from the internet, an unauthenticated attacker can exploit this flaw to create, delete or modify data that the victim user has access to. The vulnerability requires user interaction from a person other than the attacker, but once that occurs it can change the software scope, leading to broader impact across the affected products.

Affected Systems

Affected vendors include Oracle Corporation with products Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK, and Oracle Java SE. The versions impacted are Oracle GraalVM Enterprise Edition 21.3.16; Oracle GraalVM for JDK 17.0.17 and 21.0.9; Oracle Java SE 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, and 25.0.1.

Risk and Exploitability

The CVSS 3.1 base score is 7.4, indicating a high integrity impact. EPSS is less than 1% and the vulnerability is not listed in the CISA KEV catalog, suggesting a lower likelihood of widespread exploitation at this time. The attack vector is likely through network protocols that deliver a Java Web Start or applet payload, requiring the victim to interact with untrusted code. Once the vulnerability is exercised, it can lead to unauthorized data modification within the affected Java environment.

Generated by OpenCVE AI on April 18, 2026 at 04:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition to the latest releases that contain the fix for CVE-2026-21932.
  • If immediate updates are not available, apply any relevant Oracle security patches that address this URI handling issue.
  • Restrict or disable Java Web Start and Java applet functionality or configure the Java sandbox to enforce strict policy so only trusted code can run.

Generated by OpenCVE AI on April 18, 2026 at 04:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4456-1 openjdk-17 security update
Debian DLA Debian DLA DLA-4457-1 openjdk-11 security update
Debian DSA Debian DSA DSA-6110-1 openjdk-17 security update
Debian DSA Debian DSA DSA-6112-1 openjdk-21 security update
Debian DSA Debian DSA DSA-6119-1 openjdk-25 security update
Ubuntu USN Ubuntu USN USN-7995-1 OpenJDK 25 vulnerabilities
Ubuntu USN Ubuntu USN USN-7996-1 CRaC JDK 25 vulnerabilities
Ubuntu USN Ubuntu USN USN-7997-1 CRaC JDK 17 vulnerabilities
Ubuntu USN Ubuntu USN USN-7998-1 OpenJDK 17 vulnerabilities
Ubuntu USN Ubuntu USN USN-8000-1 OpenJDK 8 vulnerabilities
Ubuntu USN Ubuntu USN USN-8001-1 OpenJDK 11 vulnerabilities
Ubuntu USN Ubuntu USN USN-8002-1 OpenJDK 21 vulnerabilities
Ubuntu USN Ubuntu USN USN-8003-1 CRaC JDK 21 vulnerabilities
History

Fri, 30 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Oracle jdk
Oracle jre
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:oracle:jdk:1.8.0:update471:*:*:-:*:*:*
cpe:2.3:a:oracle:jdk:1.8.0:update471:*:*:enterprise_performance_pack:*:*:*
cpe:2.3:a:oracle:jdk:1.8.0:update471_b50:*:*:-:*:*:*
cpe:2.3:a:oracle:jdk:11.0.29:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:17.0.17:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:21.0.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:25.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.8.0:update471:*:*:-:*:*:*
cpe:2.3:a:oracle:jre:1.8.0:update471:*:*:enterprise_performance_pack:*:*:*
cpe:2.3:a:oracle:jre:1.8.0:update471_b50:*:*:-:*:*:*
cpe:2.3:a:oracle:jre:11.0.29:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:17.0.17:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:21.0.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:25.0.1:*:*:*:*:*:*:*
Vendors & Products Oracle jdk
Oracle jre

Thu, 22 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Title openjdk: Enhance Handling of URIs (Oracle CPU 2026-01)
First Time appeared Redhat
Redhat openjdk Els
Weaknesses CWE-1287
CPEs cpe:/a:redhat:openjdk_els:11
Vendors & Products Redhat
Redhat openjdk Els
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 21 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N).
First Time appeared Oracle
Oracle graalvm
Oracle graalvm For Jdk
Oracle java Se
CPEs cpe:2.3:a:oracle:graalvm:21.3.16:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm_for_jdk:17.0.17:*:*:*:*:*:*:*
cpe:2.3:a:oracle:graalvm_for_jdk:21.0.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:11.0.29:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:17.0.17:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:21.0.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:25.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:8u471:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:8u471:*:*:*:enterprise_performance:*:*:*
Vendors & Products Oracle
Oracle graalvm
Oracle graalvm For Jdk
Oracle java Se
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N'}

Subscriptions

Oracle Graalvm Graalvm For Jdk Java Se Jdk Jre
Redhat Openjdk Els
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-01-21T20:55:54.335Z

Reserved: 2026-01-05T18:07:34.709Z

Link: CVE-2026-21932

cve-icon Vulnrichment

Updated: 2026-01-21T20:55:48.830Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T22:15:55.793

Modified: 2026-01-30T16:08:39.917

Link: CVE-2026-21932

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-20T21:21:00Z

Links: CVE-2026-21932 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:45:36Z

Weaknesses