CVE-2026-22008

EUVD-2026-24313

21.04.2026, 21:16

Vulnerability in Oracle Java SE (component: Libraries).   The supported version that is affected is Oracle Java SE: 25.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE.  Successful attacks of this vulnerability can result in  unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
oracle	CNA	3.7 LOW	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 11%

Affected Products (NVD)

Vendor	Product	Version
oracle	jdk	25.0.1
oracle	jre	25.0.1

𝑥

= Vulnerable software versions

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
oracle	java_se	25.0.1	CNA

Debian Releases

Debian Product

Codename

openjdk-25

forky	25.0.3+9-2 fixed
sid	25.0.3+9-2 fixed
trixie	25.0.3+9-2~deb13u1 fixed
trixie (security)	25.0.3+9-2~deb13u1 fixed

openSUSE / SLES Releases

openSUSE Product

Release

java-25-openjdk

suse enterprise desktop 15 SP7	25.0.3.0-150700.15.10.1 fixed
suse enterprise sap 15 SP7	25.0.3.0-150700.15.10.1 fixed
suse enterprise server 15 SP7	25.0.3.0-150700.15.10.1 fixed

java-25-openjdk-demo

suse enterprise desktop 15 SP7	25.0.3.0-150700.15.10.1 fixed
suse enterprise sap 15 SP7	25.0.3.0-150700.15.10.1 fixed
suse enterprise server 15 SP7	25.0.3.0-150700.15.10.1 fixed

java-25-openjdk-devel

suse enterprise desktop 15 SP7	25.0.3.0-150700.15.10.1 fixed
suse enterprise sap 15 SP7	25.0.3.0-150700.15.10.1 fixed
suse enterprise server 15 SP7	25.0.3.0-150700.15.10.1 fixed

java-25-openjdk-headless

suse enterprise desktop 15 SP7	25.0.3.0-150700.15.10.1 fixed
suse enterprise sap 15 SP7	25.0.3.0-150700.15.10.1 fixed
suse enterprise server 15 SP7	25.0.3.0-150700.15.10.1 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

java-25-openjdk

RHEL 9

1:25.0.3.0.9-1.el9

fixed

java-25-openjdk-crypto-adapter

RHEL 9

1:25.0.3.0.9-1.el9

fixed

java-25-openjdk-crypto-adapter-fastdebug

RHEL 9

1:25.0.3.0.9-1.el9

fixed

java-25-openjdk-crypto-adapter-slowdebug

RHEL 9

1:25.0.3.0.9-1.el9

fixed

java-25-openjdk-demo

RHEL 9

1:25.0.3.0.9-1.el9

fixed

java-25-openjdk-demo-fastdebug

RHEL 9

1:25.0.3.0.9-1.el9

fixed

java-25-openjdk-demo-slowdebug

RHEL 9

1:25.0.3.0.9-1.el9

fixed

java-25-openjdk-devel

RHEL 9

1:25.0.3.0.9-1.el9

fixed

java-25-openjdk-devel-fastdebug

RHEL 9

1:25.0.3.0.9-1.el9

fixed

java-25-openjdk-devel-slowdebug

RHEL 9

1:25.0.3.0.9-1.el9

fixed

java-25-openjdk-fastdebug

RHEL 9

1:25.0.3.0.9-1.el9

fixed

java-25-openjdk-headless

RHEL 9

1:25.0.3.0.9-1.el9

fixed

java-25-openjdk-headless-fastdebug

RHEL 9

1:25.0.3.0.9-1.el9

fixed

java-25-openjdk-headless-slowdebug

RHEL 9

1:25.0.3.0.9-1.el9

fixed

java-25-openjdk-javadoc

RHEL 9

1:25.0.3.0.9-1.el9

fixed

java-25-openjdk-javadoc-zip

RHEL 9

1:25.0.3.0.9-1.el9

fixed

java-25-openjdk-jmods

RHEL 9

1:25.0.3.0.9-1.el9

fixed

java-25-openjdk-jmods-fastdebug

RHEL 9

1:25.0.3.0.9-1.el9

fixed

java-25-openjdk-jmods-slowdebug

RHEL 9

1:25.0.3.0.9-1.el9

fixed

java-25-openjdk-slowdebug

RHEL 9

1:25.0.3.0.9-1.el9

fixed

java-25-openjdk-src

RHEL 9

1:25.0.3.0.9-1.el9

fixed

java-25-openjdk-src-fastdebug

RHEL 9

1:25.0.3.0.9-1.el9

fixed

java-25-openjdk-src-slowdebug

RHEL 9

1:25.0.3.0.9-1.el9

fixed

java-25-openjdk-static-libs

RHEL 9

1:25.0.3.0.9-1.el9

fixed

java-25-openjdk-static-libs-fastdebug

RHEL 9

1:25.0.3.0.9-1.el9

fixed

java-25-openjdk-static-libs-slowdebug

RHEL 9

1:25.0.3.0.9-1.el9

fixed

Common Weakness Enumeration

CWE-250 - Execution with Unnecessary Privileges
The software performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.

Vulnerability Media Exposure

[GERMAN] Oracle Java SE: Mehrere Schwachstellen
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Java SE ausnutzen, um die Vertraulichkeit, Integrität und Verfügbarkeit zu gefährden.
Published: 2026-04-21T22:00:00+00:00

References

https://www.oracle.com/security-alerts/cpuapr2026.html