This vulnerability (CVE-2026-22021) affects the JSSE component of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition across multiple versions including 8u481, 11.0.30, 17.0.18, 21.0.10, 25.0.2, and 26. It allows an unauthenticated attacker with network access via HTTPS to cause a partial denial of service condition. The vulnerability can be exploited by invoking APIs that process untrusted data, such as those used by sandboxed Java Web Start applications or applets. The CVSS 3.1 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, and impact limited to availability. Oracle's April 2026 Critical Patch Update advisory references this vulnerability among many others but does not explicitly state the patch status for this specific issue. No known exploits in the wild have been reported.

Successful exploitation of this vulnerability can lead to a partial denial of service affecting Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. There is no impact on confidentiality or integrity. The vulnerability can be triggered remotely without authentication via HTTPS. No known active exploitation has been reported.

Oracle's April 2026 Critical Patch Update advisory includes numerous security patches and strongly recommends that customers apply these updates without delay. Although the advisory does not explicitly confirm a patch for CVE-2026-22021, applying the latest Critical Patch Update is the best available mitigation. Customers should remain on actively supported versions and promptly apply Oracle's security patches. Patch status is not yet confirmed explicitly for this vulnerability; therefore, check Oracle's advisory regularly for updates and patch availability.