This vulnerability (CVE-2026-34268) affects Oracle Java SE and Oracle GraalVM products in their security components. It allows an unauthenticated attacker who has logon access to the host infrastructure to read some accessible data without authorization. The attack complexity is high, and no privileges or user interaction are required. The vulnerability can be exploited through APIs, including those exposed by web services or sandboxed Java Web Start applications or applets that run untrusted code relying on the Java sandbox. The CVSS 3.1 score is 2.9, indicating a low-severity confidentiality impact. Oracle's April 2026 Critical Patch Update advisory references this vulnerability but does not explicitly state patch availability or remediation status for it individually.

Successful exploitation results in unauthorized read access to a subset of data accessible by the affected Oracle Java SE and GraalVM products. There is no impact on integrity or availability. The vulnerability requires local logon access and has high attack complexity, limiting the likelihood of exploitation. No known exploits are reported in the wild.

Oracle's April 2026 Critical Patch Update advisory includes multiple security patches and strongly recommends applying these updates promptly. Although the advisory does not explicitly confirm a patch for CVE-2026-34268, customers should remain on actively supported versions and apply the latest Critical Patch Updates without delay. No vendor advisory states that no action is required or that the vulnerability is already mitigated. Therefore, applying Oracle's cumulative security patches is the recommended mitigation.