Description
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
Published: 2026-04-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Partial Denial of Service
Action: Patch Now
AI Analysis

Impact

The affected component is Java Secure Socket Extension (JSSE) in Oracle Java SE and in both Oracle GraalVM for JDK and Oracle GraalVM Enterprise Edition. An unauthenticated attacker with network connectivity over HTTPS can trigger the flaw to result in a partial denial of service, impacting availability of services that rely on the vulnerable SSL/TLS code. The flaw does not provide any path to compromise confidentiality or integrity.

Affected Systems

The vulnerability affects Oracle GraalVM Enterprise Edition 21.3.17, Oracle GraalVM for JDK 17.0.18 and 21.0.10, and Oracle Java SE releases 8u481 (including the b50 and perf variants), 11.0.30, 17.0.18, 21.0.10, 25.0.2, and 26. These versions can be reached through standard HTTPS interfaces such as web services or through sandboxed Java clients that load untrusted code.

Risk and Exploitability

The CVSS base score of 5.3 describes a moderate level of severity with an availability impact. The EPSS score is less than 1 percent, indicating a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Externally, a remote attacker can exploit the issue simply by sending crafted HTTPS traffic to the affected Java process; no authentication or special privileges are required, and exploitation is possible through any exposed HTTPS endpoint that uses the vulnerable JSSE APIs or through sandboxed applications that load external code.

Generated by OpenCVE AI on April 28, 2026 at 16:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle Java SE security updates that address the JSSE vulnerability, as detailed in Oracle’s CPU April 2026 advisory.
  • Upgrade Oracle GraalVM Enterprise Edition to a release that includes the fixed JSSE implementation, and similarly bring Oracle GraalVM for JDK up to the most recent patch for the 17 and 21 series.
  • If a patch cannot be deployed immediately, limit inbound HTTPS traffic to trusted internal sources or temporarily disable HTTPS endpoints that invoke the vulnerable APIs until the update is applied.
  • Monitor application and system logs for abnormal SSL/TLS handshake failures or repeated handshake errors, which may indicate attempted exploitation.

Generated by OpenCVE AI on April 28, 2026 at 16:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4565-1 openjdk-17 security update
Debian DLA Debian DLA DLA-4566-1 openjdk-11 security update
Debian DSA Debian DSA DSA-6231-1 openjdk-21 security update
Debian DSA Debian DSA DSA-6237-1 openjdk-17
Debian DSA Debian DSA DSA-6246-1 openjdk-25 security update
History

Tue, 28 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-429
CWE-770

Mon, 27 Apr 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Oracle jdk
Oracle jre
CPEs cpe:2.3:a:oracle:jdk:1.8.0:update481:*:*:-:*:*:*
cpe:2.3:a:oracle:jdk:1.8.0:update481:*:*:enterprise_performance_pack:*:*:*
cpe:2.3:a:oracle:jdk:1.8.0:update481_b50:*:*:-:*:*:*
cpe:2.3:a:oracle:jdk:11.0.30:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:17.0.18:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:21.0.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:25.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jdk:26:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:1.8.0:update481:*:*:-:*:*:*
cpe:2.3:a:oracle:jre:1.8.0:update481:*:*:enterprise_performance_pack:*:*:*
cpe:2.3:a:oracle:jre:1.8.0:update481_b50:*:*:-:*:*:*
cpe:2.3:a:oracle:jre:11.0.30:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:17.0.18:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:21.0.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:25.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:jre:26:*:*:*:*:*:*:*
Vendors & Products Oracle jdk
Oracle jre

Thu, 23 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Remote Partial Denial of Service via HTTPS in Oracle Java SE and GraalVM openjdk: OpenJDK: Enhance certificate chain validation (Oracle CPU 2026-04)
First Time appeared Redhat
Redhat enterprise Linux
Redhat openjdk Els
Redhat rhel Els
Weaknesses CWE-674
CPEs cpe:/a:redhat:enterprise_linux:9
cpe:/a:redhat:openjdk_els:11
cpe:/a:redhat:openjdk_els:11::el7
cpe:/a:redhat:openjdk_els:11::el8
cpe:/a:redhat:openjdk_els:11::el9
cpe:/o:redhat:enterprise_linux:10.1
cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat
Redhat enterprise Linux
Redhat openjdk Els
Redhat rhel Els
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
Title Unauthorized Remote Partial Denial of Service via HTTPS in Oracle Java SE and GraalVM
Weaknesses CWE-429
CWE-770

Wed, 22 Apr 2026 03:30:00 +0000

Type Values Removed Values Added
First Time appeared Oracle graalvm Enterprise Edition
Vendors & Products Oracle graalvm Enterprise Edition

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
First Time appeared Oracle
Oracle graalvm
Oracle graalvm For Jdk
Oracle java Se
CPEs cpe:2.3:a:oracle:graalvm:21.3.17:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm_for_jdk:17.0.18:*:*:*:*:*:*:*
cpe:2.3:a:oracle:graalvm_for_jdk:21.0.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:11.0.30:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:17.0.18:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:21.0.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:25.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:26:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:8u481:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:8u481:*:*:*:enterprise_performance:*:*:*
Vendors & Products Oracle
Oracle graalvm
Oracle graalvm For Jdk
Oracle java Se
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Oracle Graalvm Graalvm Enterprise Edition Graalvm For Jdk Java Se Jdk Jre
Redhat Enterprise Linux Openjdk Els Rhel Els
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T13:58:23.932Z

Reserved: 2026-01-05T18:07:34.731Z

Link: CVE-2026-22021

cve-icon Vulnrichment

Updated: 2026-04-22T13:58:12.069Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T21:16:29.193

Modified: 2026-04-27T12:18:05.093

Link: CVE-2026-22021

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-21T20:00:00Z

Links: CVE-2026-22021 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T16:15:20Z

Weaknesses