Bug#1126119: openjdk-8: CVE-2026-21945 CVE-2026-21933 CVE-2026-21932 CVE-2026-21925
Moritz Mühlenhoff
jmm at inutil.org
Wed Jan 21 22:11:21 GMT 2026
Package: openjdk-8
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for openjdk-8.
CVE-2026-21945[0]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| Security). Supported versions that are affected are Oracle Java SE:
| 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1;
| Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM
| Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows
| unauthenticated attacker with network access via multiple protocols
| to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition. Successful attacks of this vulnerability can
| result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM
| for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability
| applies to Java deployments, typically in clients running sandboxed
| Java Web Start applications or sandboxed Java applets, that load and
| run untrusted code (e.g., code that comes from the internet) and
| rely on the Java sandbox for security. This vulnerability does not
| apply to Java deployments, typically in servers, that load and run
| only trusted code (e.g., code installed by an administrator). CVSS
| 3.1 Base Score 7.5 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
CVE-2026-21933[1]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| Networking). Supported versions that are affected are Oracle Java
| SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1;
| Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM
| Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows
| unauthenticated attacker with network access via multiple protocols
| to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition. Successful attacks require human interaction
| from a person other than the attacker and while the vulnerability is
| in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise
| Edition, attacks may significantly impact additional products (scope
| change). Successful attacks of this vulnerability can result in
| unauthorized update, insert or delete access to some of Oracle Java
| SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition
| accessible data as well as unauthorized read access to a subset of
| Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise
| Edition accessible data. Note: This vulnerability can be exploited
| by using APIs in the specified Component, e.g., through a web
| service which supplies data to the APIs. This vulnerability also
| applies to Java deployments, typically in clients running sandboxed
| Java Web Start applications or sandboxed Java applets, that load and
| run untrusted code (e.g., code that comes from the internet) and
| rely on the Java sandbox for security. CVSS 3.1 Base Score 6.1
| (Confidentiality and Integrity impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
CVE-2026-21932[2]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| AWT, JavaFX). Supported versions that are affected are Oracle Java
| SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1;
| Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM
| Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows
| unauthenticated attacker with network access via multiple protocols
| to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition. Successful attacks require human interaction
| from a person other than the attacker and while the vulnerability is
| in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise
| Edition, attacks may significantly impact additional products (scope
| change). Successful attacks of this vulnerability can result in
| unauthorized creation, deletion or modification access to critical
| data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM
| Enterprise Edition accessible data. Note: This vulnerability applies
| to Java deployments, typically in clients running sandboxed Java Web
| Start applications or sandboxed Java applets, that load and run
| untrusted code (e.g., code that comes from the internet) and rely on
| the Java sandbox for security. This vulnerability does not apply to
| Java deployments, typically in servers, that load and run only
| trusted code (e.g., code installed by an administrator). CVSS 3.1
| Base Score 7.4 (Integrity impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N).
CVE-2026-21925[3]:
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition product of Oracle Java SE (component:
| RMI). Supported versions that are affected are Oracle Java SE:
| 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1;
| Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM
| Enterprise Edition: 21.3.16. Difficult to exploit vulnerability
| allows unauthenticated attacker with network access via multiple
| protocols to compromise Oracle Java SE, Oracle GraalVM for JDK,
| Oracle GraalVM Enterprise Edition. Successful attacks of this
| vulnerability can result in unauthorized update, insert or delete
| access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle
| GraalVM Enterprise Edition accessible data as well as unauthorized
| read access to a subset of Oracle Java SE, Oracle GraalVM for JDK,
| Oracle GraalVM Enterprise Edition accessible data. Note: This
| vulnerability can be exploited by using APIs in the specified
| Component, e.g., through a web service which supplies data to the
| APIs. This vulnerability also applies to Java deployments, typically
| in clients running sandboxed Java Web Start applications or
| sandboxed Java applets, that load and run untrusted code (e.g., code
| that comes from the internet) and rely on the Java sandbox for
| security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-21945
https://www.cve.org/CVERecord?id=CVE-2026-21945
[1] https://security-tracker.debian.org/tracker/CVE-2026-21933
https://www.cve.org/CVERecord?id=CVE-2026-21933
[2] https://security-tracker.debian.org/tracker/CVE-2026-21932
https://www.cve.org/CVERecord?id=CVE-2026-21932
[3] https://security-tracker.debian.org/tracker/CVE-2026-21925
https://www.cve.org/CVERecord?id=CVE-2026-21925
Please adjust the affected versions in the BTS as needed.
More information about the pkg-java-maintainers
mailing list