This vulnerability (CVE-2026-22016) affects Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition in the JAXP component across multiple versions including 8u481, 11.0.30, 17.0.18, 21.0.10, 25.0.2, and 26. It allows unauthenticated attackers with network access to exploit APIs to gain unauthorized access to critical or all accessible data. The vulnerability is exploitable without user interaction and has a CVSS 3.1 score of 7.5, primarily impacting confidentiality. It also affects sandboxed Java Web Start applications and applets that load untrusted code. Oracle's April 2026 Critical Patch Update advisory includes security patches addressing this vulnerability among others, though explicit patch availability for this specific CVE is not detailed in the provided advisory content.

Successful exploitation can lead to unauthorized access to critical or all accessible data within affected Oracle Java SE and GraalVM environments. The vulnerability does not impact integrity or availability but poses a significant confidentiality risk. It can be exploited remotely without authentication or user interaction, increasing its risk profile. There are no known exploits in the wild at the time of publication.

Oracle has released a Critical Patch Update in April 2026 that includes patches addressing this vulnerability along with many others. Customers are strongly advised to apply the April 2026 Critical Patch Update promptly to mitigate this vulnerability. Since the vendor advisory does not explicitly confirm patch availability for this specific CVE, users should consult the official Oracle advisory at https://www.oracle.com/security-alerts/cpuapr2026.html for detailed patch information and installation instructions. Maintaining up-to-date supported versions and applying Oracle's security patches without delay is critical to mitigating this risk.