CVE-2026-21932: Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of O...
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N).
Security readout for executives and security teams
Plain-English summary
CVE-2026-21932 is a high-severity Oracle Java and GraalVM issue affecting client-style Java deployments that run untrusted sandboxed code. A user must interact with malicious content. Successful exploitation can let an attacker create, delete, or modify critical data accessible to Java. Oracle says typical trusted server-side Java deployments are not affected by this issue.
Executive priority
Prioritize remediation for user-facing systems that can run untrusted Java content. Business risk is data integrity loss, not confidentiality or availability per the CVSS vector. Server-only Java workloads using trusted code are lower priority based on Oracle’s scope note, but should be inventoried to confirm applicability.
Technical view
The flaw is in Oracle Java SE and GraalVM AWT/JavaFX, associated with CWE-1287. CVSS is 7.4: network attack vector, low complexity, no privileges, user interaction required, scope changed, high integrity impact. Affected versions include Java SE 8u471, 11.0.29, 17.0.17, 21.0.9, 25.0.1; GraalVM for JDK 17.0.17/21.0.9; GraalVM EE 21.3.16.
Likely exposure
Highest exposure is on endpoints, kiosks, or applications that run sandboxed Java Web Start applications or applets from untrusted sources. Oracle states the issue does not apply to typical server deployments that load only trusted administrator-installed code. Organizations should still check packaged Java from Oracle, Red Hat, Siemens-impacted products, and embedded dependencies.
Exploitation context
Oracle describes the vulnerability as easily exploitable by an unauthenticated attacker with network access via multiple protocols, but requiring human interaction. The provided data does not show CISA KEV listing, and no cited source states active exploitation. Treat it as urgent for environments still using untrusted sandboxed Java content.
Researcher notes
Public information names AWT/JavaFX and CWE-1287 but does not provide root-cause details or safe proof-of-concept material. Analysis should focus on version exposure, deployment model, and whether untrusted sandboxed Java code is allowed. Avoid assuming all Java servers are exploitable; Oracle explicitly narrows applicability.
Mitigation direction
Apply Oracle January 2026 CPU guidance for affected Java and GraalVM versions.
Apply relevant Red Hat RHSA updates for Red Hat-packaged Java where applicable.
Check Siemens advisory for affected products and vendor-specific remediation.
Remove or disable untrusted Java Web Start or applet usage where possible.
Do not rely on Java sandboxing for untrusted internet code until updated.
Validation and detection
Inventory Oracle Java SE and GraalVM versions against the affected version list.
Identify endpoints or apps running Java Web Start or sandboxed applets.
Confirm whether Java loads untrusted internet-sourced code or only administrator-installed code.
Verify Oracle, Red Hat, or Siemens advisory remediation is applied.
Document exceptions where vendor-fixed packages are not yet available.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-1287: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-1287 · source CWE mapping
Improper Validation of Specified Type of Input
Improper Validation of Specified Type of Input represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.