Bug#1134894: openjdk-8: CVE-2026-34268 CVE-2026-22003 CVE-2026-22007 CVE-2026-22013 CVE-2026-22016 CVE-2026-22018 CVE-2026-22021
Moritz Mühlenhoff
jmm at inutil.org
Sat Apr 25 13:14:21 BST 2026
Source: openjdk-8
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for openjdk-8.
CVE-2026-34268[0]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| Security). Supported versions that are affected are Oracle Java SE:
| 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26;
| Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM
| Enterprise Edition: 21.3.17. Difficult to exploit vulnerability
| allows unauthenticated attacker with logon to the infrastructure
| where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition executes to compromise Oracle Java SE, Oracle
| GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful
| attacks of this vulnerability can result in unauthorized read
| access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition accessible data. Note: This vulnerability
| can be exploited by using APIs in the specified Component, e.g.,
| through a web service which supplies data to the APIs. This
| vulnerability also applies to Java deployments, typically in clients
| running sandboxed Java Web Start applications or sandboxed Java
| applets, that load and run untrusted code (e.g., code that comes
| from the internet) and rely on the Java sandbox for security. CVSS
| 3.1 Base Score 2.9 (Confidentiality impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
CVE-2026-22003[1]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise
| Edition product of Oracle Java SE (component: Hotspot). Supported
| versions that are affected are Oracle Java SE: 8u481 and 8u481-b50;
| Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit
| vulnerability allows low privileged attacker with logon to the
| infrastructure where Oracle Java SE, Oracle GraalVM Enterprise
| Edition executes to compromise Oracle Java SE, Oracle GraalVM
| Enterprise Edition. Successful attacks require human interaction
| from a person other than the attacker. Successful attacks of this
| vulnerability can result in unauthorized creation, deletion or
| modification access to critical data or all Oracle Java SE, Oracle
| GraalVM Enterprise Edition accessible data and unauthorized ability
| to cause a hang or frequently repeatable crash (complete DOS) of
| Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This
| vulnerability applies to Java deployments, typically in clients
| running sandboxed Java Web Start applications or sandboxed Java
| applets, that load and run untrusted code (e.g., code that comes
| from the internet) and rely on the Java sandbox for security. This
| vulnerability does not apply to Java deployments, typically in
| servers, that load and run only trusted code (e.g., code installed
| by an administrator). CVSS 3.1 Base Score 6.0 (Integrity and
| Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H).
CVE-2026-22007[2]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| Security). Supported versions that are affected are Oracle Java SE:
| 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26;
| Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM
| Enterprise Edition: 21.3.17. Difficult to exploit vulnerability
| allows unauthenticated attacker with logon to the infrastructure
| where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition executes to compromise Oracle Java SE, Oracle
| GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful
| attacks of this vulnerability can result in unauthorized read
| access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition accessible data. Note: This vulnerability
| can be exploited by using APIs in the specified Component, e.g.,
| through a web service which supplies data to the APIs. This
| vulnerability also applies to Java deployments, typically in clients
| running sandboxed Java Web Start applications or sandboxed Java
| applets, that load and run untrusted code (e.g., code that comes
| from the internet) and rely on the Java sandbox for security. CVSS
| 3.1 Base Score 2.9 (Confidentiality impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
CVE-2026-22013[3]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| JGSS). Supported versions that are affected are Oracle Java SE:
| 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26;
| Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM
| Enterprise Edition: 21.3.17. Difficult to exploit vulnerability
| allows unauthenticated attacker with network access via multiple
| protocols to compromise Oracle Java SE, Oracle GraalVM for JDK,
| Oracle GraalVM Enterprise Edition. Successful attacks require human
| interaction from a person other than the attacker. Successful
| attacks of this vulnerability can result in unauthorized access to
| critical data or complete access to all Oracle Java SE, Oracle
| GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data.
| Note: This vulnerability applies to Java deployments, typically in
| clients running sandboxed Java Web Start applications or sandboxed
| Java applets, that load and run untrusted code (e.g., code that
| comes from the internet) and rely on the Java sandbox for security.
| This vulnerability does not apply to Java deployments, typically in
| servers, that load and run only trusted code (e.g., code installed
| by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).
CVE-2026-22016[4]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| JAXP). Supported versions that are affected are Oracle Java SE:
| 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26;
| Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM
| Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows
| unauthenticated attacker with network access via multiple protocols
| to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition. Successful attacks of this vulnerability can
| result in unauthorized access to critical data or complete access
| to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition accessible data. Note: This vulnerability can be
| exploited by using APIs in the specified Component, e.g., through a
| web service which supplies data to the APIs. This vulnerability also
| applies to Java deployments, typically in clients running sandboxed
| Java Web Start applications or sandboxed Java applets, that load and
| run untrusted code (e.g., code that comes from the internet) and
| rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5
| (Confidentiality impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2026-22018[5]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| Libraries). Supported versions that are affected are Oracle Java
| SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2,
| 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM
| Enterprise Edition: 21.3.17. Difficult to exploit vulnerability
| allows unauthenticated attacker with network access via multiple
| protocols to compromise Oracle Java SE, Oracle GraalVM for JDK,
| Oracle GraalVM Enterprise Edition. Successful attacks of this
| vulnerability can result in unauthorized ability to cause a partial
| denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM
| for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability
| can be exploited by using APIs in the specified Component, e.g.,
| through a web service which supplies data to the APIs. This
| vulnerability also applies to Java deployments, typically in clients
| running sandboxed Java Web Start applications or sandboxed Java
| applets, that load and run untrusted code (e.g., code that comes
| from the internet) and rely on the Java sandbox for security. CVSS
| 3.1 Base Score 3.7 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2026-22021[6]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| JSSE). Supported versions that are affected are Oracle Java SE:
| 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26;
| Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM
| Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows
| unauthenticated attacker with network access via HTTPS to compromise
| Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise
| Edition. Successful attacks of this vulnerability can result in
| unauthorized ability to cause a partial denial of service (partial
| DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition. Note: This vulnerability can be exploited by
| using APIs in the specified Component, e.g., through a web service
| which supplies data to the APIs. This vulnerability also applies to
| Java deployments, typically in clients running sandboxed Java Web
| Start applications or sandboxed Java applets, that load and run
| untrusted code (e.g., code that comes from the internet) and rely on
| the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-34268
https://www.cve.org/CVERecord?id=CVE-2026-34268
[1] https://security-tracker.debian.org/tracker/CVE-2026-22003
https://www.cve.org/CVERecord?id=CVE-2026-22003
[2] https://security-tracker.debian.org/tracker/CVE-2026-22007
https://www.cve.org/CVERecord?id=CVE-2026-22007
[3] https://security-tracker.debian.org/tracker/CVE-2026-22013
https://www.cve.org/CVERecord?id=CVE-2026-22013
[4] https://security-tracker.debian.org/tracker/CVE-2026-22016
https://www.cve.org/CVERecord?id=CVE-2026-22016
[5] https://security-tracker.debian.org/tracker/CVE-2026-22018
https://www.cve.org/CVERecord?id=CVE-2026-22018
[6] https://security-tracker.debian.org/tracker/CVE-2026-22021
https://www.cve.org/CVERecord?id=CVE-2026-22021
Please adjust the affected versions in the BTS as needed.
More information about the pkg-java-maintainers
mailing list