This vulnerability affects Oracle Java SE and Oracle GraalVM products in their Security component across several supported versions. It permits an unauthenticated attacker who already has logon access to the host infrastructure to read a subset of data accessible to these Java environments. Exploitation requires local access and is considered difficult due to high attack complexity and no privileges required. The vulnerability can be triggered via APIs, including web services or sandboxed Java Web Start applications or applets that execute untrusted code relying on the Java sandbox. The CVSS vector indicates local attack vector, high attack complexity, no privileges or user interaction required, and only low confidentiality impact. The vendor advisory (Oracle Critical Patch Update April 2026) does not explicitly confirm a patch or remediation for this specific CVE but strongly urges customers to apply all Critical Patch Updates promptly. No known active exploitation has been reported.

Successful exploitation results in unauthorized read access to a subset of data accessible to Oracle Java SE and GraalVM environments on the affected infrastructure. There is no impact on data integrity or availability. The vulnerability requires local access to the infrastructure and is difficult to exploit. The overall impact is low confidentiality loss with no known active exploitation reported.

Patch status is not yet confirmed—check the Oracle advisory at https://www.oracle.com/security-alerts/cpuapr2026.html for current remediation guidance. Oracle strongly recommends applying Critical Patch Updates promptly to address this and other vulnerabilities. Until a patch is confirmed, limit local access to infrastructure running affected Oracle Java SE and GraalVM versions and avoid running untrusted code in sandboxed Java environments where possible.