Vulnerability in Oracle Java SE and GraalVM Products
CVE-2026-22018

3.7LOW

Key Information:

Vendor

Oracle
Status
Oracle Java Se
Oracle Graalvm For Jdk
Oracle Graalvm Enterprise Edition
Vendor
CVE Published:
21 April 2026

What is CVE-2026-22018?

This vulnerability exists within Oracle Java SE and GraalVM products, allowing unauthenticated attackers with network access to exploit the software via multiple protocols. By leveraging specific APIs in the affected component, attackers may induce a partial denial of service, potentially disrupting the functionality of applications that rely on these Java environments. This risk is particularly relevant for deployments running in sandboxed modes, such as Java Web Start applications or applets, which execute untrusted code sourced from the internet. The exploitation could lead to significant availability concerns for users and organizations depending on these platforms.

Affected Version(s)

Oracle GraalVM Enterprise Edition 21.3.17

Oracle GraalVM for JDK 17.0.18

Oracle GraalVM for JDK 21.0.10

References

https://www.oracle.com/security-alerts/cpuapr2026.html
vendor-advisory

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.