CVE-2026-22003 - Vulnerability Details

- Local Privileged Code Execution and Denial of Service in Oracle Java SE and GraalVM

Description

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u481 and 8u481-b50; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 6.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H).

Published: 2026-04-21

Score: 6 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A low‑privileged attacker who has local logon access to the infrastructure where Oracle Java SE or Oracle GraalVM Enterprise Edition runs can exploit a Hotspot component weakness to execute actions that modify, delete, or create critical data and to cause the application to hang or crash repeatedly. The vulnerability does not allow complete remote control of the system, but it does break data integrity and availability for the affected product.

Affected Systems

Oracle Java SE versions 8u481 and 8u481‑b50, and Oracle GraalVM Enterprise Edition version 21.3.17, are impacted. The issue is relevant mainly to sandboxed client deployments such as Java Web Start applications or applets that load untrusted code from the internet; it does not affect server deployments that run only trusted, administrator‑installed code.

Risk and Exploitability

The CVSS 3.1 base score is 6.0 with attack vector local, high complexity, low privilege, required user interaction, and an unmodified scope. The EPSS score is not available and the vulnerability has not been listed in the CISA KEV catalog. Exploitation requires a human user interacting with the affected application outside of the attacker’s direct control, so automated attacks are unlikely, yet environments that allow untrusted Java clients remain at risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Java SE

affected

Version	Status	Constraints
`8u481`	affected	—
`8u481-b50`	affected	—

Oracle Corporation

Oracle GraalVM Enterprise Edition

affected

Version	Status	Constraints
`21.3.17`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Graalvm

95%

Version	Status	Scheme	Platform
`21.3.17`	affected	semver	—

Oracle

Java Se

95%

Version	Status	Scheme	Platform
`8u481`	affected	generic	—
`8u481-b50`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Oracle Java SE to a released version that contains the fix, such as 8u482 or later.
Upgrade Oracle GraalVM Enterprise Edition to 21.3.18 or later.
If an upgrade is not yet possible, disable Java Web Start and applet support for untrusted code or restrict local user privileges so that the affected application cannot be executed for untrusted code.

Generated by OpenCVE AI on April 22, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.oracle.com/security-alerts/cpuapr2026.html

History

Wed, 22 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 14:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400

Wed, 22 Apr 2026 03:15:00 +0000

Type	Values Removed	Values Added
Title		Local Privileged Code Execution and Denial of Service in Oracle Java SE and GraalVM
Weaknesses		CWE-1033 CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u481 and 8u481-b50; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 6.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H).
First Time appeared		Oracle Oracle graalvm Oracle java Se
CPEs		cpe:2.3:a:oracle:graalvm:21.3.17::::enterprise::: cpe:2.3:a:oracle:java_se:::::::: cpe:2.3:a:oracle:java_se:8u481:::::::*
Vendors & Products		Oracle Oracle graalvm Oracle java Se
References		https://www.oracle.com/security-alerts/cpuapr2026.html
Metrics		cvssV3_1 `{'score': 6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H'}`

Subscriptions

Oracle Graalvm Java Se

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-04-21T20:35:02.518Z

Updated: 2026-04-22T14:10:38.643Z

Reserved: 2026-01-05T18:07:34.725Z

Link: CVE-2026-22003

Vulnrichment

Updated: 2026-04-22T14:10:25.122Z

NVD

Status : Undergoing Analysis

Published: 2026-04-21T21:16:25.650

Modified: 2026-04-22T21:24:26.997

Link: CVE-2026-22003

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T05:30:09Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object