CVE-2026-22003 is a vulnerability in the Hotspot component of Oracle Java SE and Oracle GraalVM Enterprise Edition affecting versions 8u481 and 8u481-b50. It allows a low privileged attacker with local access and requiring user interaction to compromise the affected Java runtime environments. The vulnerability can lead to unauthorized modification of critical or accessible data and cause denial of service through hangs or repeated crashes. It mainly impacts client-side Java deployments that run untrusted code in sandboxed environments, such as Java Web Start applications or applets, and does not affect server-side deployments running only trusted code. The CVSS 3.1 score is 6.0 with vector AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H. Oracle’s April 2026 Critical Patch Update advisory references many patches but does not explicitly confirm a patch for this vulnerability in the provided data.

The vulnerability can result in unauthorized creation, deletion, or modification of critical or accessible data within Oracle Java SE and Oracle GraalVM Enterprise Edition environments. It also allows an attacker to cause a hang or repeated crash, leading to a denial of service condition. Exploitation requires local access with low privileges and user interaction by a third party, making exploitation difficult. The impact affects integrity and availability but not confidentiality.

Oracle’s April 2026 Critical Patch Update advisory is available and customers are strongly advised to apply the latest patches promptly. However, the advisory content provided does not explicitly confirm a patch for CVE-2026-22003. Therefore, patch status is not yet confirmed—check the Oracle advisory at https://www.oracle.com/security-alerts/cpuapr2026.html for current remediation guidance. Until a patch is confirmed and applied, limit local access to affected systems and avoid running untrusted Java code in sandboxed environments. Note that this vulnerability does not affect server deployments running only trusted code.