LiveActive security incident?Get immediate response
CVE Record

CVE-2026-21932: Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of O...

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N).

HighCVSS 7.4Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

CVE-2026-21932 is a high-severity Oracle Java and GraalVM issue affecting client-style Java deployments that run untrusted sandboxed code. A user must interact with malicious content. Successful exploitation can let an attacker create, delete, or modify critical data accessible to Java. Oracle says typical trusted server-side Java deployments are not affected by this issue.

Executive priority

Prioritize remediation for user-facing systems that can run untrusted Java content. Business risk is data integrity loss, not confidentiality or availability per the CVSS vector. Server-only Java workloads using trusted code are lower priority based on Oracle’s scope note, but should be inventoried to confirm applicability.

Technical view

The flaw is in Oracle Java SE and GraalVM AWT/JavaFX, associated with CWE-1287. CVSS is 7.4: network attack vector, low complexity, no privileges, user interaction required, scope changed, high integrity impact. Affected versions include Java SE 8u471, 11.0.29, 17.0.17, 21.0.9, 25.0.1; GraalVM for JDK 17.0.17/21.0.9; GraalVM EE 21.3.16.

Likely exposure

Highest exposure is on endpoints, kiosks, or applications that run sandboxed Java Web Start applications or applets from untrusted sources. Oracle states the issue does not apply to typical server deployments that load only trusted administrator-installed code. Organizations should still check packaged Java from Oracle, Red Hat, Siemens-impacted products, and embedded dependencies.

Exploitation context

Oracle describes the vulnerability as easily exploitable by an unauthenticated attacker with network access via multiple protocols, but requiring human interaction. The provided data does not show CISA KEV listing, and no cited source states active exploitation. Treat it as urgent for environments still using untrusted sandboxed Java content.

Researcher notes

Public information names AWT/JavaFX and CWE-1287 but does not provide root-cause details or safe proof-of-concept material. Analysis should focus on version exposure, deployment model, and whether untrusted sandboxed Java code is allowed. Avoid assuming all Java servers are exploitable; Oracle explicitly narrows applicability.

Mitigation direction

  • Apply Oracle January 2026 CPU guidance for affected Java and GraalVM versions.
  • Apply relevant Red Hat RHSA updates for Red Hat-packaged Java where applicable.
  • Check Siemens advisory for affected products and vendor-specific remediation.
  • Remove or disable untrusted Java Web Start or applet usage where possible.
  • Do not rely on Java sandboxing for untrusted internet code until updated.

Validation and detection

  • Inventory Oracle Java SE and GraalVM versions against the affected version list.
  • Identify endpoints or apps running Java Web Start or sandboxed applets.
  • Confirm whether Java loads untrusted internet-sourced code or only administrator-installed code.
  • Verify Oracle, Red Hat, or Siemens advisory remediation is applied.
  • Document exceptions where vendor-fixed packages are not yet available.
Prepared
Confidence
high
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-1287: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-21932 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7.4 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

2CVSS vectors
5Timeline events
3ADP providers
11Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

CVSS vector scores

2 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7.4CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N2.84oracle
7.4CVSS 3.1HighCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N2.84redhat-SADP

Vulnerability scoring details

Base CVSS 3.1 score

7.4High
CVSS 3.1 vector shape for CVE-2026-21932Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. ADP timelineredhat-SADP

    Reported to Red Hat.

  3. ADP timelineredhat-SADP

    Made public.

  4. CVE publishedCVE Program

    The CVE record was published.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
siemens-SADPADP container
redhat-SADPopenjdk: Enhance Handling of URIs (Oracle CPU 2026-01)
other:Red Hat severity ratingcvssV3_1
  • 2026-01-15T12:01:50.512Z: Reported to Red Hat.
  • 2026-01-20T21:21:00.000Z: Made public.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
Oracle CorporationOracle Java SE8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1Listed
Oracle CorporationOracle GraalVM for JDK17.0.17, 21.0.9Listed
Oracle CorporationOracle GraalVM Enterprise Edition21.3.16Listed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-1287 · source CWE mapping

Improper Validation of Specified Type of Input

Improper Validation of Specified Type of Input represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.