[From nobody Fri May  8 16:07:05 2026
Received: (at submit) by bugs.debian.org; 25 Apr 2026 12:15:51 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.9 required=4.0 tests=BAYES_00, FOURLA,
 SPF_HELO_NONE, SPF_PASS autolearn=no autolearn_force=no
 version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 49; hammy, 150; neutral, 117; spammy,
 0. spammytokens:
 hammytokens:0.000-+--UD:security-tracker.debian.org, 
 0.000-+--securitytrackerdebianorg,
 0.000-+--security-tracker.debian.org, 0.000-+--H*r:jmm,
 0.000-+--sk:teamse
Return-path: <jmm@inutil.org>
Received: from inutil.org ([51.38.114.215]:55068 helo=vps-b7ad3695.vps.ovh.net)
 by buxtehude.debian.org with esmtp (Exim 4.96)
 (envelope-from <jmm@inutil.org>) id 1wGbvL-000a1t-1k
 for submit@bugs.debian.org; Sat, 25 Apr 2026 12:15:51 +0000
Received: from soju.westfalen.local (p548dc5fc.dip0.t-ipconnect.de
 [84.141.197.252])
 by vps-b7ad3695.vps.ovh.net (Postfix) with ESMTPSA id 78EC61F7
 for <submit@bugs.debian.org>; Sat, 25 Apr 2026 12:15:50 +0000 (UTC)
Received: from jmm by soju.westfalen.local with local (Exim 4.99.1)
 (envelope-from <jmm@soju.westfalen.local>) id 1wGbtu-00000003ZSM-001I
 for submit@bugs.debian.org; Sat, 25 Apr 2026 14:14:22 +0200
Date: Sat, 25 Apr 2026 14:14:21 +0200
To: submit@bugs.debian.org
Subject: openjdk-8: CVE-2026-34268 CVE-2026-22003 CVE-2026-22007
 CVE-2026-22013 CVE-2026-22016 CVE-2026-22018 CVE-2026-22021
Message-ID: <aeywHen32l2h3aUx@pisco.westfalen.local>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
From: =?UTF-8?Q?Moritz_M=C3=BChlenhoff?= <jmm@inutil.org>
Delivered-To: submit@bugs.debian.org

Source: openjdk-8
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for openjdk-8.

CVE-2026-34268[0]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| Security).  Supported versions that are affected are Oracle Java SE:
| 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26;
| Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM
| Enterprise Edition: 21.3.17. Difficult to exploit vulnerability
| allows unauthenticated attacker with logon to the infrastructure
| where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition executes to compromise Oracle Java SE, Oracle
| GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful
| attacks of this vulnerability can result in  unauthorized read
| access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition accessible data. Note: This vulnerability
| can be exploited by using APIs in the specified Component, e.g.,
| through a web service which supplies data to the APIs. This
| vulnerability also applies to Java deployments, typically in clients
| running sandboxed Java Web Start applications or sandboxed Java
| applets, that load and run untrusted code (e.g., code that comes
| from the internet) and rely on the Java sandbox for security. CVSS
| 3.1 Base Score 2.9 (Confidentiality impacts).  CVSS Vector:
| (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).


CVE-2026-22003[1]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise
| Edition product of Oracle Java SE (component: Hotspot).  Supported
| versions that are affected are Oracle Java SE: 8u481 and  8u481-b50;
| Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit
| vulnerability allows low privileged attacker with logon to the
| infrastructure where Oracle Java SE, Oracle GraalVM Enterprise
| Edition executes to compromise Oracle Java SE, Oracle GraalVM
| Enterprise Edition.  Successful attacks require human interaction
| from a person other than the attacker. Successful attacks of this
| vulnerability can result in  unauthorized creation, deletion or
| modification access to critical data or all Oracle Java SE, Oracle
| GraalVM Enterprise Edition accessible data and unauthorized ability
| to cause a hang or frequently repeatable crash (complete DOS) of
| Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This
| vulnerability applies to Java deployments, typically in clients
| running sandboxed Java Web Start applications or sandboxed Java
| applets, that load and run untrusted code (e.g., code that comes
| from the internet) and rely on the Java sandbox for security. This
| vulnerability does not apply to Java deployments, typically in
| servers, that load and run only trusted code (e.g., code installed
| by an administrator). CVSS 3.1 Base Score 6.0 (Integrity and
| Availability impacts).  CVSS Vector:
| (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H).


CVE-2026-22007[2]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| Security).  Supported versions that are affected are Oracle Java SE:
| 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26;
| Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM
| Enterprise Edition: 21.3.17. Difficult to exploit vulnerability
| allows unauthenticated attacker with logon to the infrastructure
| where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition executes to compromise Oracle Java SE, Oracle
| GraalVM for JDK, Oracle GraalVM Enterprise Edition.  Successful
| attacks of this vulnerability can result in  unauthorized read
| access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition accessible data. Note: This vulnerability
| can be exploited by using APIs in the specified Component, e.g.,
| through a web service which supplies data to the APIs. This
| vulnerability also applies to Java deployments, typically in clients
| running sandboxed Java Web Start applications or sandboxed Java
| applets, that load and run untrusted code (e.g., code that comes
| from the internet) and rely on the Java sandbox for security. CVSS
| 3.1 Base Score 2.9 (Confidentiality impacts).  CVSS Vector:
| (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).


CVE-2026-22013[3]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| JGSS).  Supported versions that are affected are Oracle Java SE:
| 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26;
| Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM
| Enterprise Edition: 21.3.17. Difficult to exploit vulnerability
| allows unauthenticated attacker with network access via multiple
| protocols to compromise Oracle Java SE, Oracle GraalVM for JDK,
| Oracle GraalVM Enterprise Edition.  Successful attacks require human
| interaction from a person other than the attacker. Successful
| attacks of this vulnerability can result in  unauthorized access to
| critical data or complete access to all Oracle Java SE, Oracle
| GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
| Note: This vulnerability applies to Java deployments, typically in
| clients running sandboxed Java Web Start applications or sandboxed
| Java applets, that load and run untrusted code (e.g., code that
| comes from the internet) and rely on the Java sandbox for security.
| This vulnerability does not apply to Java deployments, typically in
| servers, that load and run only trusted code (e.g., code installed
| by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality
| impacts).  CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).


CVE-2026-22016[4]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| JAXP).  Supported versions that are affected are Oracle Java SE:
| 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26;
| Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM
| Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows
| unauthenticated attacker with network access via multiple protocols
| to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition.  Successful attacks of this vulnerability can
| result in  unauthorized access to critical data or complete access
| to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition accessible data. Note: This vulnerability can be
| exploited by using APIs in the specified Component, e.g., through a
| web service which supplies data to the APIs. This vulnerability also
| applies to Java deployments, typically in clients running sandboxed
| Java Web Start applications or sandboxed Java applets, that load and
| run untrusted code (e.g., code that comes from the internet) and
| rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5
| (Confidentiality impacts).  CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).


CVE-2026-22018[5]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| Libraries).  Supported versions that are affected are Oracle Java
| SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2,
| 26; Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM
| Enterprise Edition: 21.3.17. Difficult to exploit vulnerability
| allows unauthenticated attacker with network access via multiple
| protocols to compromise Oracle Java SE, Oracle GraalVM for JDK,
| Oracle GraalVM Enterprise Edition.  Successful attacks of this
| vulnerability can result in unauthorized ability to cause a partial
| denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM
| for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability
| can be exploited by using APIs in the specified Component, e.g.,
| through a web service which supplies data to the APIs. This
| vulnerability also applies to Java deployments, typically in clients
| running sandboxed Java Web Start applications or sandboxed Java
| applets, that load and run untrusted code (e.g., code that comes
| from the internet) and rely on the Java sandbox for security. CVSS
| 3.1 Base Score 3.7 (Availability impacts).  CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).


CVE-2026-22021[6]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| JSSE).  Supported versions that are affected are Oracle Java SE:
| 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26;
| Oracle GraalVM for JDK: 17.0.18 and  21.0.10; Oracle GraalVM
| Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows
| unauthenticated attacker with network access via HTTPS to compromise
| Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise
| Edition.  Successful attacks of this vulnerability can result in
| unauthorized ability to cause a partial denial of service (partial
| DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition. Note: This vulnerability can be exploited by
| using APIs in the specified Component, e.g., through a web service
| which supplies data to the APIs. This vulnerability also applies to
| Java deployments, typically in clients running sandboxed Java Web
| Start applications or sandboxed Java applets, that load and run
| untrusted code (e.g., code that comes from the internet) and rely on
| the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Availability
| impacts).  CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-34268
    https://www.cve.org/CVERecord?id=CVE-2026-34268
[1] https://security-tracker.debian.org/tracker/CVE-2026-22003
    https://www.cve.org/CVERecord?id=CVE-2026-22003
[2] https://security-tracker.debian.org/tracker/CVE-2026-22007
    https://www.cve.org/CVERecord?id=CVE-2026-22007
[3] https://security-tracker.debian.org/tracker/CVE-2026-22013
    https://www.cve.org/CVERecord?id=CVE-2026-22013
[4] https://security-tracker.debian.org/tracker/CVE-2026-22016
    https://www.cve.org/CVERecord?id=CVE-2026-22016
[5] https://security-tracker.debian.org/tracker/CVE-2026-22018
    https://www.cve.org/CVERecord?id=CVE-2026-22018
[6] https://security-tracker.debian.org/tracker/CVE-2026-22021
    https://www.cve.org/CVERecord?id=CVE-2026-22021

Please adjust the affected versions in the BTS as needed.
]