Description
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Published: 2026-04-21
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Partial Denial of Service (Availability)
Action: Patch
AI Analysis

Impact

A vulnerability in the Libraries component of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition allows an unauthenticated attacker who has network access to exploit APIs available through multiple protocols. Successful exploitation can cause a partial denial of service, disrupting application availability but not compromising confidentiality or integrity. The weakness is similar to a resource exhaustion or availability control failure, as it is broadly described as "partial DOS" based on usage of vulnerable APIs.

Affected Systems

Affected vendors include Oracle Corporation. The vulnerable products are Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. Versions that can be compromised are Java SE 8u481, 8u481‑b50, 8u481‑perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, and 26; GraalVM for JDK 17.0.18 and 21.0.10; and GraalVM Enterprise Edition 21.3.17.

Risk and Exploitability

The CVSS score of 3.7 indicates a low‑to‑moderate severity. The attack vector is Network, with high attack complexity, no prerequisites, and no user interaction required. The EPSS score of 0.00047 indicates a very low exploitation probability (<1%), and the vulnerability is not listed in the CISA KEV catalog. The vulnerability can be triggered without authentication and across multiple protocols, which may still allow exploitation for organizations that expose Java services to the internet. If exploited, an attacker can disrupt services, potentially affecting end‑users or downstream systems that rely on the affected Java components.

Generated by OpenCVE AI on April 28, 2026 at 16:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle patch or upgrade to a non‑affected version of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition as detailed in Oracle CPU Apr 2026 advisory.
  • If a patch cannot be applied immediately, isolate the affected servers behind a firewall and restrict inbound traffic to the specific APIs that use the vulnerable libraries.
  • Enable the Java Application Security Manager or enforce sandbox restrictions for Java Web Start applications and applets so that untrusted code cannot be loaded from external sources.

Generated by OpenCVE AI on April 28, 2026 at 16:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4565-1 openjdk-17 security update
Debian DLA Debian DLA DLA-4566-1 openjdk-11 security update
Debian DSA Debian DSA DSA-6231-1 openjdk-21 security update
Debian DSA Debian DSA DSA-6237-1 openjdk-17
Debian DSA Debian DSA DSA-6246-1 openjdk-25 security update
History

Mon, 27 Apr 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Oracle jdk
Oracle jre
CPEs cpe:2.3:a:oracle:jdk:1.8.0:update481:*:*:-:*:*:*
cpe:2.3:a:oracle:jdk:1.8.0:update481:*:*:enterprise_performance_pack:*:*:*
cpe:2.3:a:oracle:jdk:1.8.0:update481_b50:*:*:-:*:*:*
cpe:2.3:a:oracle:jdk:11.0.30:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:17.0.18:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:21.0.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:25.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:26:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.8.0:update481:*:*:-:*:*:*
cpe:2.3:a:oracle:jre:1.8.0:update481:*:*:enterprise_performance_pack:*:*:*
cpe:2.3:a:oracle:jre:1.8.0:update481_b50:*:*:-:*:*:*
cpe:2.3:a:oracle:jre:11.0.30:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:17.0.18:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:21.0.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:25.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:26:*:*:*:*:*:*:*
Vendors & Products Oracle jdk
Oracle jre

Wed, 22 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-754

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated Partial Denial of Service via API in Oracle Java SE and GraalVM openjdk: OpenJDK: Enhance Zip file reading (Oracle CPU 2026-04)
Weaknesses CWE-125
References
Metrics threat_severity

None

 threat_severity

Low

Wed, 22 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated Partial Denial of Service via API in Oracle Java SE and GraalVM
Weaknesses CWE-754

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
First Time appeared Oracle
Oracle graalvm
Oracle graalvm For Jdk
Oracle java Se
CPEs cpe:2.3:a:oracle:graalvm:21.3.17:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm_for_jdk:17.0.18:*:*:*:*:*:*:*
cpe:2.3:a:oracle:graalvm_for_jdk:21.0.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:11.0.30:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:17.0.18:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:21.0.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:25.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:26:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:8u481:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:8u481:*:*:*:enterprise_performance:*:*:*
Vendors & Products Oracle
Oracle graalvm
Oracle graalvm For Jdk
Oracle java Se
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Oracle Graalvm Graalvm For Jdk Java Se Jdk Jre
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T14:06:10.533Z

Reserved: 2026-01-05T18:07:34.728Z

Link: CVE-2026-22018

cve-icon Vulnrichment

Updated: 2026-04-22T14:06:03.286Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T21:16:28.833

Modified: 2026-04-27T12:17:18.483

Link: CVE-2026-22018

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-21T20:00:00Z

Links: CVE-2026-22018 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T16:15:20Z

Weaknesses