Description
Vulnerability in Oracle Java SE (component: Libraries). The supported version that is affected is Oracle Java SE: 25.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
Published: 2026-04-21
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Modification
Action: Assess Impact
AI Analysis

Impact

This vulnerability exists in the Oracle Java SE Libraries component. An unauthenticated attacker who can reach the target over the network can introduce malicious Java code into sandboxed Web Start applications or applets. When successfully exploited, the attacker can perform unauthorized update, insert or delete operations on data that the Java application can access. The weakness stems from improper access controls in the sandbox environment that allow manipulation of data privileges, encapsulating issues addressed by CWE‑284 and the newly identified CWE‑250.

Affected Systems

Client deployments of Oracle Java SE 25.0.1 that rely on the Java sandbox to run untrusted code from the internet—specifically sandboxed Web Start applications or applets. Server deployments that execute only trusted, locally installed code are not affected.

Risk and Exploitability

The CVSS 3.1 base score of 3.7 indicates a low‑to‑moderate risk. The EPSS score is less than 1% and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves a network‑based delivery of malicious Java code that bypasses sandbox restrictions; exploitation requires introducing untrusted code via the application. The vulnerability does not provide arbitrary code execution or privilege escalation, so the impact is confined to data integrity of the application’s accessible data only.

Generated by OpenCVE AI on April 22, 2026 at 19:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an Oracle update to a patched Java SE version that addresses this vulnerability, or contact Oracle support for the fix.
  • Disable Java Web Start and all sandboxed applet features in browsers and client programs so that untrusted Java code cannot run.
  • Configure Java’s security manager to enforce strict file write permissions, allowing only trusted applications to modify data, and review permission settings to eliminate over‑privileged accesses.
  • If Java SE is not required on the client machine, uninstall the product entirely.

Generated by OpenCVE AI on April 22, 2026 at 19:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-732

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-250
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title openjdk: OpenJDK: Improved Arena allocations (Oracle CPU 2026-04)
Weaknesses CWE-122
References
Metrics threat_severity

None

 threat_severity

Low

Wed, 22 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-732

Wed, 22 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Title Unauthorized Data Modification via Vulnerable Java Sandbox
Weaknesses CWE-284
CWE-732

Wed, 22 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Data Modification via Vulnerable Java Sandbox
Weaknesses CWE-284
CWE-732

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in Oracle Java SE (component: Libraries). The supported version that is affected is Oracle Java SE: 25.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
First Time appeared Oracle
Oracle java Se
CPEs cpe:2.3:a:oracle:java_se:25.0.1:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle java Se
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Oracle Java Se
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T14:06:09.562Z

Reserved: 2026-01-05T18:07:34.726Z

Link: CVE-2026-22008

cve-icon Vulnrichment

Updated: 2026-04-22T14:06:06.186Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-21T21:16:26.690

Modified: 2026-04-22T21:24:26.997

Link: CVE-2026-22008

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-21T20:00:00Z

Links: CVE-2026-22008 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T19:45:25Z

Weaknesses