CVE-2026-22008 is a vulnerability in Oracle Java SE 25.0.1 Libraries component that allows an unauthenticated attacker with network access via multiple protocols to compromise the integrity of some accessible data by unauthorized update, insert, or delete operations. The vulnerability affects client-side Java deployments that run untrusted code in sandboxed environments such as Java Web Start applications or applets. It does not apply to server-side deployments that run only trusted code. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) indicates network attack vector, high attack complexity, no privileges or user interaction required, unchanged scope, no confidentiality or availability impact, and low integrity impact. Oracle’s April 2026 Critical Patch Update advisory references many patches but does not explicitly confirm a fix for this CVE. No known exploits have been reported.

Successful exploitation could allow an unauthenticated attacker to perform unauthorized modifications (update, insert, or delete) to some data accessible by Oracle Java SE in affected client-side sandboxed environments. There is no impact on confidentiality or availability. The vulnerability is rated low severity with a CVSS score of 3.7. It does not affect server-side Java deployments that run trusted code.

Patch status is not yet confirmed — check the Oracle April 2026 Critical Patch Update advisory for current remediation guidance (https://www.oracle.com/security-alerts/cpuapr2026.html). Oracle strongly recommends applying Critical Patch Updates promptly to address vulnerabilities. Since no explicit patch is confirmed for this CVE in the advisory, organizations should monitor Oracle’s updates and apply patches as they become available. Additionally, limiting exposure of client-side Java applications that run untrusted code and enforcing strict sandboxing policies may reduce risk.