Description
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Published: 2026-01-20
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Modification or Disclosure of Data
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition’s networking component, specifically the handling of HTTP requests. It allows an unauthenticated attacker with network access to craft malicious requests that can lead to unauthorized update, insert, delete, or read operations on data accessible to the affected JVM. This is a CWE‑93 weakness in HTTP request parsing that permits improper handling of malformed input. The attack requires user interaction with a system that processes the request, limiting the risk to environments where the JVM exposes services that accept external input.

Affected Systems

Systems that run Oracle Java SE versions 8u471, 8u471‑b50, 8u471‑perf, 11.0.29, 17.0.17, 21.0.9, or 25.0.1, as well as Oracle GraalVM for JDK 17.0.17 and 21.0.9 and Oracle GraalVM Enterprise Edition 21.3.16, are affected. The listed CPEs also include Red‑Hat Enterprise Linux OpenJDK ELS 11 distributions on el7‑9, reflecting that any Java runtime employing the vulnerable networking APIs is at risk. Additional Java applications that rely on sandboxed Java Web Start or applets could also be impacted if they load untrusted code over the network.

Risk and Exploitability

The CVSS base score of 6.1 classifies the issue as moderate, with moderate confidentiality and integrity impact. However, the EPSS score is below 1% and the vulnerability is not present in the CISA KEV catalog, indicating a very low current exploitation likelihood. The requirement for user interaction and network exposure confines potential attacks to environments where an attacker can entice a user to send a crafted request or where vulnerable services are exposed to hostile traffic. Consequently, while the exposed data could be altered or disclosed, the practical risk is mitigated by the low probability of exploitation and the need for a cooperating user.

Generated by OpenCVE AI on April 18, 2026 at 04:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition to the latest patch releases that contain the CVE fix.
  • Remove or disable the vulnerable HttpServer component from any application that does not require it, thereby eliminating the exposed code paths.
  • Restrict inbound HTTP traffic to trusted IP ranges and enforce strict input validation on Java applications to mitigate malformed request handling.
  • Disable Java Web Start and sandboxed applets unless absolutely necessary, and enforce strict security policies for loading untrusted code.

Generated by OpenCVE AI on April 18, 2026 at 04:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4456-1 openjdk-17 security update
Debian DLA Debian DLA DLA-4457-1 openjdk-11 security update
Debian DSA Debian DSA DSA-6110-1 openjdk-17 security update
Debian DSA Debian DSA DSA-6112-1 openjdk-21 security update
Debian DSA Debian DSA DSA-6119-1 openjdk-25 security update
Ubuntu USN Ubuntu USN USN-7995-1 OpenJDK 25 vulnerabilities
Ubuntu USN Ubuntu USN USN-7996-1 CRaC JDK 25 vulnerabilities
Ubuntu USN Ubuntu USN USN-7997-1 CRaC JDK 17 vulnerabilities
Ubuntu USN Ubuntu USN USN-7998-1 OpenJDK 17 vulnerabilities
Ubuntu USN Ubuntu USN USN-8000-1 OpenJDK 8 vulnerabilities
Ubuntu USN Ubuntu USN USN-8001-1 OpenJDK 11 vulnerabilities
Ubuntu USN Ubuntu USN USN-8002-1 OpenJDK 21 vulnerabilities
Ubuntu USN Ubuntu USN USN-8003-1 CRaC JDK 21 vulnerabilities
History

Fri, 30 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Oracle jdk
Oracle jre
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:oracle:jdk:1.8.0:update471:*:*:-:*:*:*
cpe:2.3:a:oracle:jdk:1.8.0:update471:*:*:enterprise_performance_pack:*:*:*
cpe:2.3:a:oracle:jdk:1.8.0:update471_b50:*:*:-:*:*:*
cpe:2.3:a:oracle:jdk:11.0.29:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:17.0.17:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:21.0.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:25.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.8.0:update471:*:*:-:*:*:*
cpe:2.3:a:oracle:jre:1.8.0:update471:*:*:enterprise_performance_pack:*:*:*
cpe:2.3:a:oracle:jre:1.8.0:update471_b50:*:*:-:*:*:*
cpe:2.3:a:oracle:jre:11.0.29:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:17.0.17:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:21.0.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:25.0.1:*:*:*:*:*:*:*
Vendors & Products Oracle jdk
Oracle jre

Thu, 22 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Title openjdk: Improve HttpServer Request handling (Oracle CPU 2026-01)
First Time appeared Redhat
Redhat openjdk Els
Weaknesses CWE-93
CPEs cpe:/a:redhat:openjdk_els:11
cpe:/a:redhat:openjdk_els:11::el7
cpe:/a:redhat:openjdk_els:11::el8
cpe:/a:redhat:openjdk_els:11::el9
Vendors & Products Redhat
Redhat openjdk Els
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 21 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
First Time appeared Oracle
Oracle graalvm
Oracle graalvm For Jdk
Oracle java Se
CPEs cpe:2.3:a:oracle:graalvm:21.3.16:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm_for_jdk:17.0.17:*:*:*:*:*:*:*
cpe:2.3:a:oracle:graalvm_for_jdk:21.0.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:11.0.29:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:17.0.17:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:21.0.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:25.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:8u471:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:8u471:*:*:*:enterprise_performance:*:*:*
Vendors & Products Oracle
Oracle graalvm
Oracle graalvm For Jdk
Oracle java Se
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Oracle Graalvm Graalvm For Jdk Java Se Jdk Jre
Redhat Openjdk Els
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-01-21T20:56:25.029Z

Reserved: 2026-01-05T18:07:34.709Z

Link: CVE-2026-21933

cve-icon Vulnrichment

Updated: 2026-01-21T20:56:22.038Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T22:15:55.917

Modified: 2026-01-30T16:07:09.417

Link: CVE-2026-21933

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-20T21:21:00Z

Links: CVE-2026-21933 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:45:36Z

Weaknesses