Description
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
Published: 2026-04-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Partial Denial of Service
Action: Patch Now
AI Analysis

Impact

This vulnerability originates in the JSSE component of Oracle Java SE and GraalVM, allowing an unauthenticated network attacker to trigger a partial denial of service by exploiting HTTPS communication. The weakness results in availability impact, as the victim system’s SSL/TLS handshake can be disrupted, leading to service interruption for legitimate users.

Affected Systems

Affected products include Oracle GraalVM Enterprise Edition 21.3.17, Oracle GraalVM for JDK versions 17.0.18 and 21.0.10, and Oracle Java SE across multiple releases – 8u481, 11.0.30, 17.0.18, 21.0.10, 25.0.2, and 26. These versions can be compromised through standard HTTPS interfaces, including web services that invoke the vulnerable APIs or sandboxed Java clients that load untrusted code.

Risk and Exploitability

The CVSS base score is 5.3, indicating a moderate severity primarily focused on availability. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely via HTTPS, where remote attackers can send crafted traffic to the JSSE component to trigger the denial of service. No exploitation conditions beyond network connectivity over HTTPS are mentioned in the advisory.

Generated by OpenCVE AI on April 22, 2026 at 05:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the latest Oracle Java SE security update that addresses the JSSE vulnerability.
  • Upgrade Oracle GraalVM Enterprise Edition to a version that includes the JSSE fix.
  • Upgrade Oracle GraalVM for JDK to the most recent minor release for 17 and 21 series that contains the update.
  • If an update cannot be applied immediately, limit incoming HTTPS traffic to trusted internal hosts or temporarily disable exposed HTTPS endpoints that use the affected Java/JAAS APIs.
  • Monitor application logs for repeated SSL handshake failures or abnormal traffic patterns as an indicator of exploitation attempts.

Generated by OpenCVE AI on April 22, 2026 at 05:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
Title Unauthorized Remote Partial Denial of Service via HTTPS in Oracle Java SE and GraalVM
Weaknesses CWE-429
CWE-770

Wed, 22 Apr 2026 03:30:00 +0000

Type Values Removed Values Added
First Time appeared Oracle graalvm Enterprise Edition
Vendors & Products Oracle graalvm Enterprise Edition

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
First Time appeared Oracle
Oracle graalvm
Oracle graalvm For Jdk
Oracle java Se
CPEs cpe:2.3:a:oracle:graalvm:21.3.17:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm_for_jdk:17.0.18:*:*:*:*:*:*:*
cpe:2.3:a:oracle:graalvm_for_jdk:21.0.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:11.0.30:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:17.0.18:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:21.0.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:25.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:26:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:8u481:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:8u481:*:*:*:enterprise_performance:*:*:*
Vendors & Products Oracle
Oracle graalvm
Oracle graalvm For Jdk
Oracle java Se
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Oracle Graalvm Graalvm Enterprise Edition Graalvm For Jdk Java Se
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T13:58:23.932Z

Reserved: 2026-01-05T18:07:34.731Z

Link: CVE-2026-22021

cve-icon Vulnrichment

Updated: 2026-04-22T13:58:12.069Z

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:29.193

Modified: 2026-04-22T14:16:35.507

Link: CVE-2026-22021

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T05:15:06Z

Weaknesses