CVE-2026-22021: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. in Oracle Corporation Oracle Java SE
CVE-2026-22021 is a medium severity vulnerability in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition affecting the JSSE component. It allows an unauthenticated attacker with network access via HTTPS to cause a partial denial of service (DoS) condition. The vulnerability impacts multiple supported versions of these products. Exploitation can occur through APIs, such as web services supplying data to the affected component, including sandboxed Java Web Start applications or applets running untrusted code. The CVSS 3. 1 base score is 5. 3, reflecting an availability impact without confidentiality or integrity compromise. Oracle has published a Critical Patch Update advisory that includes patches for numerous vulnerabilities but does not explicitly confirm patch availability or remediation status for this specific CVE. Customers are strongly advised to apply Oracle Critical Patch Updates promptly to mitigate known vulnerabilities.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-22021) affects the JSSE component of Oracle Java SE and Oracle GraalVM products across multiple versions. It allows an unauthenticated attacker with network access over HTTPS to cause a partial denial of service. The attack vector requires no privileges or user interaction and impacts availability only. The vulnerability can be exploited via APIs, including those used by sandboxed Java Web Start applications or applets that load untrusted code. The CVSS 3.1 score is 5.3 (medium severity). Oracle's April 2026 Critical Patch Update advisory references numerous security patches but does not explicitly state the patch status for this vulnerability. No known exploits in the wild have been reported.
Potential Impact
Successful exploitation results in a partial denial of service impacting availability of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. There is no impact on confidentiality or integrity. The vulnerability can be triggered remotely without authentication via HTTPS network access. It affects multiple supported versions of the products listed. No known active exploitation has been reported.
Mitigation Recommendations
Oracle strongly recommends applying the April 2026 Critical Patch Update and staying current with all security patches. Although the vendor advisory does not explicitly confirm a patch specifically for CVE-2026-22021, the advisory covers a broad set of vulnerabilities and customers should apply the update promptly. Patch status is not yet confirmed specifically for this CVE—check the Oracle advisory at https://www.oracle.com/security-alerts/cpuapr2026.html for the latest remediation guidance. No vendor advisory states that no action is required or that the issue is already mitigated.
CVE-2026-22021: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. in Oracle Corporation Oracle Java SE
Description
CVE-2026-22021 is a medium severity vulnerability in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition affecting the JSSE component. It allows an unauthenticated attacker with network access via HTTPS to cause a partial denial of service (DoS) condition. The vulnerability impacts multiple supported versions of these products. Exploitation can occur through APIs, such as web services supplying data to the affected component, including sandboxed Java Web Start applications or applets running untrusted code. The CVSS 3. 1 base score is 5. 3, reflecting an availability impact without confidentiality or integrity compromise. Oracle has published a Critical Patch Update advisory that includes patches for numerous vulnerabilities but does not explicitly confirm patch availability or remediation status for this specific CVE. Customers are strongly advised to apply Oracle Critical Patch Updates promptly to mitigate known vulnerabilities.
CVSS v3.1
Score 5.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-22021) affects the JSSE component of Oracle Java SE and Oracle GraalVM products across multiple versions. It allows an unauthenticated attacker with network access over HTTPS to cause a partial denial of service. The attack vector requires no privileges or user interaction and impacts availability only. The vulnerability can be exploited via APIs, including those used by sandboxed Java Web Start applications or applets that load untrusted code. The CVSS 3.1 score is 5.3 (medium severity). Oracle's April 2026 Critical Patch Update advisory references numerous security patches but does not explicitly state the patch status for this vulnerability. No known exploits in the wild have been reported.
Potential Impact
Successful exploitation results in a partial denial of service impacting availability of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. There is no impact on confidentiality or integrity. The vulnerability can be triggered remotely without authentication via HTTPS network access. It affects multiple supported versions of the products listed. No known active exploitation has been reported.
Mitigation Recommendations
Oracle strongly recommends applying the April 2026 Critical Patch Update and staying current with all security patches. Although the vendor advisory does not explicitly confirm a patch specifically for CVE-2026-22021, the advisory covers a broad set of vulnerabilities and customers should apply the update promptly. Patch status is not yet confirmed specifically for this CVE—check the Oracle advisory at https://www.oracle.com/security-alerts/cpuapr2026.html for the latest remediation guidance. No vendor advisory states that no action is required or that the issue is already mitigated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- oracle
- Date Reserved
- 2026-01-05T18:07:34.731Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://www.oracle.com/security-alerts/cpuapr2026.html","vendor":"Oracle"}]
Threat ID: 69e7e5a019fe3cd2cdf9f730
Added to database: 4/21/2026, 9:01:20 PM
Last enriched: 4/29/2026, 11:33:24 AM
Last updated: 6/5/2026, 6:41:15 PM
Views: 142
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.