Description
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Published: 2026-01-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (application hang or crash)
Action: Patch Immediately
AI Analysis

Impact

The vulnerability arises when Oracle Java SE, Oracle GraalVM for JDK and Oracle GraalVM Enterprise Edition validate certificates in a sandboxed environment. It allows an unauthenticated attacker with network access to cause a forced hang or complete crash when the Java runtime loads untrusted code. The flaw does not lead to data compromise or privilege escalation; it solely impacts availability.

Affected Systems

Affected versions are Oracle Java SE 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK 17.0.17 and 21.0.9; and Oracle GraalVM Enterprise Edition 21.3.16. The list of CPEs also references Red Hat OpenJDK ELS 11, suggesting that equivalent OpenJDK distributions that share the same code base may be impacted.

Risk and Exploitability

The CVSS v3.1 score of 7.5 reflects a high availability impact with low attack complexity. Network based, unauthenticated exploitation is sufficient, and the EPSS score of less than 1 % indicates that, while the probability of exploitation is low, it remains possible. The vulnerability is not flagged in the CISA KEV catalog. Attackers can trigger the flaw over multiple protocols, exposing client‑side Java deployments that rely on the sandbox to potential downtime without needing privileged access or authentication.

Generated by OpenCVE AI on April 18, 2026 at 19:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition to a version that is not explicitly listed as affected in the CVE data.
  • Disable or restrict Java Web Start and sandboxed applet execution, or limit network access to trusted sources to prevent loading untrusted code.
  • If Red Hat OpenJDK ELS 11 is in use, ensure it is updated to a non‑affected release that addresses the same underlying issue.

Generated by OpenCVE AI on April 18, 2026 at 19:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4456-1 openjdk-17 security update
Debian DLA Debian DLA DLA-4457-1 openjdk-11 security update
Debian DSA Debian DSA DSA-6110-1 openjdk-17 security update
Debian DSA Debian DSA DSA-6112-1 openjdk-21 security update
Debian DSA Debian DSA DSA-6119-1 openjdk-25 security update
Ubuntu USN Ubuntu USN USN-7995-1 OpenJDK 25 vulnerabilities
Ubuntu USN Ubuntu USN USN-7996-1 CRaC JDK 25 vulnerabilities
Ubuntu USN Ubuntu USN USN-7997-1 CRaC JDK 17 vulnerabilities
Ubuntu USN Ubuntu USN USN-7998-1 OpenJDK 17 vulnerabilities
Ubuntu USN Ubuntu USN USN-8000-1 OpenJDK 8 vulnerabilities
Ubuntu USN Ubuntu USN USN-8001-1 OpenJDK 11 vulnerabilities
Ubuntu USN Ubuntu USN USN-8002-1 OpenJDK 21 vulnerabilities
Ubuntu USN Ubuntu USN USN-8003-1 CRaC JDK 21 vulnerabilities
History

Fri, 30 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Oracle jdk
Oracle jre
CPEs cpe:2.3:a:oracle:jdk:1.8.0:update471:*:*:-:*:*:*
cpe:2.3:a:oracle:jdk:1.8.0:update471:*:*:enterprise_performance_pack:*:*:*
cpe:2.3:a:oracle:jdk:1.8.0:update471_b50:*:*:-:*:*:*
cpe:2.3:a:oracle:jdk:11.0.29:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:17.0.17:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:21.0.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:25.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.8.0:update471:*:*:-:*:*:*
cpe:2.3:a:oracle:jre:1.8.0:update471:*:*:enterprise_performance_pack:*:*:*
cpe:2.3:a:oracle:jre:1.8.0:update471_b50:*:*:-:*:*:*
cpe:2.3:a:oracle:jre:11.0.29:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:17.0.17:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:21.0.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:25.0.1:*:*:*:*:*:*:*
Vendors & Products Oracle jdk
Oracle jre

Thu, 22 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Title openjdk: Enhance Certificate Checking (Oracle CPU 2026-01)
First Time appeared Redhat
Redhat openjdk Els
Weaknesses CWE-295
CPEs cpe:/a:redhat:openjdk_els:11
cpe:/a:redhat:openjdk_els:11::el7
cpe:/a:redhat:openjdk_els:11::el8
cpe:/a:redhat:openjdk_els:11::el9
Vendors & Products Redhat
Redhat openjdk Els
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 21 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
First Time appeared Oracle
Oracle graalvm
Oracle graalvm For Jdk
Oracle java Se
CPEs cpe:2.3:a:oracle:graalvm:21.3.16:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm_for_jdk:17.0.17:*:*:*:*:*:*:*
cpe:2.3:a:oracle:graalvm_for_jdk:21.0.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:11.0.29:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:17.0.17:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:21.0.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:25.0.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:8u471:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:8u471:*:*:*:enterprise_performance:*:*:*
Vendors & Products Oracle
Oracle graalvm
Oracle graalvm For Jdk
Oracle java Se
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Oracle Graalvm Graalvm For Jdk Java Se Jdk Jre
Redhat Openjdk Els
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-01-21T15:05:36.940Z

Reserved: 2026-01-05T18:07:34.712Z

Link: CVE-2026-21945

cve-icon Vulnrichment

Updated: 2026-01-21T15:05:17.529Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T22:15:57.390

Modified: 2026-01-30T16:03:26.530

Link: CVE-2026-21945

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-20T21:21:00Z

Links: CVE-2026-21945 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:00:09Z

Weaknesses