CVE-2026-34282 - Vulnerability Details

- openjdk: OpenJDK: Enhance TLS connection handling (Oracle CPU 2026-04)

Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Published: 2026-04-21

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability arises in the networking component of Oracle Java SE and GraalVM products. An unauthenticated attacker with network access can trigger a resource exhaustion that causes the runtime to hang or crash, resulting in a permanent or frequently repeatable denial of service for applications built on these environments.

Affected Systems

Affected products include Oracle GraalVM Enterprise Edition 21.3.17, Oracle GraalVM for JDK 17.0.18 and 21.0.10, and Oracle Java SE versions 8u481‑perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, and 26.

Risk and Exploitability

The CVSS v3.1 Base Score of 7.5 emphasizes high Availability impact. Attackers need only unauthenticated network access; privileged access or user interaction is not required. Although an EPSS score is not available, the lack of a KEV listing does not mitigate the risk, as the flaw remains exploitable across multiple network protocols.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Java SE

affected

Version	Status	Constraints
`8u481-perf`	affected	—
`11.0.30`	affected	—
`17.0.18`	affected	—
`21.0.10`	affected	—
`25.0.2`	affected	—
`26`	affected	—

Oracle Corporation

Oracle GraalVM for JDK

affected

Version	Status	Constraints
`17.0.18`	affected	—
`21.0.10`	affected	—

Oracle Corporation

Oracle GraalVM Enterprise Edition

affected

Version	Status	Constraints
`21.3.17`	affected	—

No data.

Package	CPE	Advisory	Released Date
OPENJDK ELS 11.0.31
java-11-openjdk-portable	cpe:/a:redhat:openjdk_els:11	RHSA-2026:9255	2026-04-22T00:00:00Z
java-11-openjdk-windows	cpe:/a:redhat:openjdk_els:11	RHSA-2026:9256	2026-04-22T00:00:00Z
Red Hat Enterprise Linux 10
java-25-openjdk-1:25.0.3.0.9-1.el10_2	cpe:/o:redhat:enterprise_linux:10.1	RHSA-2026:9693	2026-04-22T00:00:00Z
Red Hat Enterprise Linux 9
java-25-openjdk-1:25.0.3.0.9-1.el9	cpe:/a:redhat:enterprise_linux:9	RHSA-2026:9693	2026-04-22T00:00:00Z
Red Hat OpenJDK 11 els for RHEL 7
java-11-openjdk-1:11.0.31.0.11-1.el7_9	cpe:/a:redhat:openjdk_els:11::el7	RHSA-2026:9254	2026-04-22T00:00:00Z
Red Hat OpenJDK 11 els for RHEL 8
java-11-openjdk-1:11.0.31.0.11-1.el8	cpe:/a:redhat:openjdk_els:11::el8	RHSA-2026:9254	2026-04-22T00:00:00Z
Red Hat OpenJDK 11 els for RHEL 9
java-11-openjdk-1:11.0.31.0.11-1.el9	cpe:/a:redhat:openjdk_els:11::el9	RHSA-2026:9254	2026-04-22T00:00:00Z

Vendor Product Confidence Versions

Oracle

Graalvm

95%

Version	Status	Scheme	Platform
`21.3.17`	affected	generic	—

Oracle

Graalvm For Jdk

95%

Version	Status	Scheme	Platform
`17.0.18`	affected	generic	—
`21.0.10`	affected	generic	—

Oracle

Java Se

95%

Version	Status	Scheme	Platform
`8u481-perf`	affected	generic	—
`11.0.30`	affected	generic	—
`17.0.18`	affected	generic	—
`21.0.10`	affected	generic	—
`25.0.2`	affected	generic	—
`26`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Oracle security patch that addresses the networking vulnerability in Java SE and GraalVM.
Upgrade to a patched or newer runtime version that includes the fix.
Restrict network exposure of services that use the vulnerable APIs, or disable the affected networking components if feasible.
Audit client deployments to prevent untrusted code loading and further limit the attack surface.

Generated by OpenCVE AI on April 22, 2026 at 06:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0004.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2026-34282
https://www.cve.org/CVERecord?id=CVE-2026-34282
https://www.oracle.com/security-alerts/cpuapr2026.html
https://www.oracle.com/security-alerts/cpuapr2026.html#AppendixJAVA

History

Thu, 23 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
Title	Denial of Service via Networking Component in Oracle Java SE and GraalVM	openjdk: OpenJDK: Enhance TLS connection handling (Oracle CPU 2026-04)
First Time appeared		Redhat Redhat enterprise Linux Redhat openjdk Els
Weaknesses		CWE-835
CPEs		cpe:/a:redhat:enterprise_linux:9 cpe:/a:redhat:openjdk_els:11 cpe:/a:redhat:openjdk_els:11::el7 cpe:/a:redhat:openjdk_els:11::el8 cpe:/a:redhat:openjdk_els:11::el9 cpe:/o:redhat:enterprise_linux:10.1
Vendors & Products		Redhat Redhat enterprise Linux Redhat openjdk Els
References		https://nvd.nist.gov/vuln/detail/CVE-2026-34282 https://www.cve.org/CVERecord?id=CVE-2026-34282 https://www.oracle.com/security-alerts/cpuapr2026.html#AppendixJAVA
Metrics	threat_severity `None`	threat_severity `Important`

Wed, 22 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 22 Apr 2026 07:00:00 +0000

Type	Values Removed	Values Added
Title		Denial of Service via Networking Component in Oracle Java SE and GraalVM
Weaknesses		CWE-400

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
First Time appeared		Oracle Oracle graalvm Oracle graalvm For Jdk Oracle java Se
CPEs		cpe:2.3:a:oracle:graalvm:21.3.17::::enterprise::: cpe:2.3:a:oracle:graalvm_for_jdk:17.0.18:::::::* cpe:2.3:a:oracle:graalvm_for_jdk:21.0.10:::::::* cpe:2.3:a:oracle:java_se:11.0.30:::::::* cpe:2.3:a:oracle:java_se:17.0.18:::::::* cpe:2.3:a:oracle:java_se:21.0.10:::::::* cpe:2.3:a:oracle:java_se:25.0.2:::::::* cpe:2.3:a:oracle:java_se:26:::::::* cpe:2.3:a:oracle:java_se:8u481::::enterprise_performance:::
Vendors & Products		Oracle Oracle graalvm Oracle graalvm For Jdk Oracle java Se
References		https://www.oracle.com/security-alerts/cpuapr2026.html
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Oracle Graalvm Graalvm For Jdk Java Se

Redhat Enterprise Linux Openjdk Els

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-04-21T20:35:21.405Z

Updated: 2026-04-22T15:34:09.905Z

Reserved: 2026-03-26T19:48:45.676Z

Link: CVE-2026-34282

Vulnrichment

Updated: 2026-04-22T15:34:05.323Z

NVD

Status : Awaiting Analysis

Published: 2026-04-21T21:16:32.643

Modified: 2026-04-22T21:24:26.997

Link: CVE-2026-34282

Redhat

Severity : Important

Publid Date: 2026-04-21T20:00:00Z

Links: CVE-2026-34282 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-22T06:45:10Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object