CVE-2026-21945: Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of O...
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Security readout for executives and security teams
Plain-English summary
CVE-2026-21945 is a denial-of-service issue in specific Oracle Java SE and GraalVM releases. An unauthenticated network attacker can cause affected Java environments to hang or repeatedly crash. Oracle notes the risk is mainly for sandboxed Java clients running untrusted internet-sourced code, not typical servers running only administrator-installed trusted code.
Executive priority
Treat as high priority where legacy Java client technologies remain in use. For server-only Java environments running trusted code, prioritize verification and routine vendor patching rather than emergency response unless vendor guidance says otherwise.
Technical view
Oracle rates this CVSS 7.5, AV:N/AC:L/PR:N/UI:N, with high availability impact only. Affected releases include Java SE 8u471, 11.0.29, 17.0.17, 21.0.9, 25.0.1; GraalVM for JDK 17.0.17 and 21.0.9; and GraalVM Enterprise Edition 21.3.16. Listed weaknesses include CWE-295 and CWE-400.
Likely exposure
Highest exposure is client-side Java deployments that still run sandboxed Java Web Start applications or applets from untrusted sources. Standard server-side Java applications are less likely exposed when they load only trusted code installed by administrators, per Oracle’s note.
Exploitation context
The provided sources describe easy network exploitation and complete denial of service. They do not show CISA KEV listing or active exploitation evidence. No confidentiality or integrity impact is described in the CVSS vector.
Researcher notes
The key scoping detail is Oracle’s deployment note limiting applicability to sandboxed clients running untrusted code. The source bundle does not provide root-cause details, proof-of-concept status, or exact fixed version numbers beyond vendor advisory references.
Mitigation direction
Inventory Oracle Java SE and GraalVM versions against the affected version list.
Apply Oracle CPU January 2026 guidance or later vendor-provided fixes.
For Red Hat builds, follow the relevant RHSA advisories for your platform.
For Siemens environments, review SSA-032379 for product-specific guidance.
Reduce or disable sandboxed Java clients that run untrusted internet-sourced code.
Validation and detection
Confirm installed Java and GraalVM versions across endpoints and servers.
Identify Java Web Start, applet, or sandboxed-client usage in the environment.
Check whether affected runtimes load untrusted code from network sources.
Verify vendor advisory status for Oracle, Red Hat, and Siemens-managed packages.
Monitor affected systems for repeated Java hangs or crashes.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-295: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-295 · source CWE mapping
Improper Certificate Validation
Improper Certificate Validation represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Uncontrolled Resource Consumption represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.