PT-2026-34084 · Oracle+1 · Graalvm For Jdk+4

Thomas Beckers

·

Published

2026-01-01

·

Updated

2026-05-29

·

CVE-2026-22016

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:C/I:N/A:N
Name of the Vulnerable Software and Affected Versions Oracle Java SE versions 8u481, 11.0.30, 17.0.18, 21.0.10, 25.0.2 and 26 Oracle GraalVM for JDK versions 17.0.18 and 21.0.10 Oracle GraalVM Enterprise Edition version 21.3.17
Description An issue in the JAXP component allows an unauthenticated attacker with network access via multiple protocols to compromise the system. This can be achieved by using APIs in the specified component, such as through a web service that supplies data to the APIs. The flaw also affects Java deployments that load and run untrusted code, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets that rely on the Java sandbox for security. Successful exploitation can result in unauthorized access to critical data or complete access to all accessible data.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Deserialization of Untrusted Data

Information Disclosure

Weakness Enumeration

CWE-502CWE-200

Related Identifiers

ALSA-2026:9683
ALSA-2026:9686
ALSA-2026:9689
ALSA-2026:9693
BDU:2026-06611
BIT-JAVA-2026-22016
BIT-JAVA-MIN-2026-22016
BIT-JRE-2026-22016
CVE-2026-22016
OPENSUSE-SU-2026:10636-1
OPENSUSE-SU-2026:10637-1
OPENSUSE-SU-2026:10638-1
OPENSUSE-SU-2026:10639-1
OPENSUSE-SU-2026:10656-1
OPENSUSE-SU-2026:10724-1
OPENSUSE-SU-2026:10725-1
OPENSUSE-SU-2026:10726-1
OPENSUSE-SU-2026:10727-1
OPENSUSE-SU-2026:10893-1
RHSA-2026:11403
RHSA-2026:11655
RHSA-2026:11829
RHSA-2026:11902
RHSA-2026:9254
RHSA-2026:9682
RHSA-2026:9683
RHSA-2026:9686
RHSA-2026:9689
RHSA-2026:9693
USN-8327-1
USN-8328-1
USN-8330-1
USN-8331-1
USN-8332-1
USN-8333-1
USN-8334-1
USN-8339-1
USN-8341-1

Affected Products

Graalvm Enterprise Edition
Graalvm For Jdk
Java Platform
Java Se
Rocky Linux