CVE-2026-34282: Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. in Oracle Corporation Oracle Java SE
CVE-2026-34282 is a high-severity vulnerability affecting multiple versions of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. It allows an unauthenticated attacker with network access via multiple protocols to cause a hang or frequent crash, resulting in a denial of service (DoS). The vulnerability arises from the networking component and can be exploited through APIs, including via web services that supply data to these APIs. It also affects Java deployments running sandboxed Java Web Start applications or applets that load untrusted code relying on the Java sandbox. The CVSS 3. 1 base score is 7. 5, indicating a high impact on availability without affecting confidentiality or integrity. Oracle has published a Critical Patch Update advisory referencing this vulnerability but does not explicitly confirm patch availability or remediation status for this specific CVE in the provided advisory content.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-34282) exists in the networking component of Oracle Java SE and Oracle GraalVM products. It is easily exploitable by unauthenticated attackers with network access via multiple protocols. Exploitation can cause the affected Java runtimes to hang or crash repeatedly, resulting in a complete denial of service. The vulnerability can be triggered through APIs, including web services that interact with these APIs, and affects sandboxed Java Web Start applications and applets that execute untrusted code relying on the Java sandbox. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) confirms network attack vector, low attack complexity, no privileges or user interaction required, and high impact on availability only. The affected versions include Oracle Java SE 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK 17.0.18 and 21.0.10; and Oracle GraalVM Enterprise Edition 21.3.17. Oracle’s April 2026 Critical Patch Update advisory references multiple patches but does not explicitly state patch availability for this CVE.
Potential Impact
Successful exploitation results in an unauthorized ability to cause a hang or frequent crash of Oracle Java SE and Oracle GraalVM runtimes, leading to a complete denial of service (DoS). There is no impact on confidentiality or integrity. The vulnerability can be exploited remotely without authentication or user interaction, making it a significant availability risk for affected systems running vulnerable versions.
Mitigation Recommendations
Oracle’s April 2026 Critical Patch Update advisory references multiple security patches across products, including Oracle Java SE. However, the advisory does not explicitly confirm patch availability or remediation status for CVE-2026-34282. Therefore, patch status is not yet confirmed—check the Oracle advisory at https://www.oracle.com/security-alerts/cpuapr2026.html for the latest remediation guidance. Oracle strongly recommends applying Critical Patch Updates promptly to mitigate known vulnerabilities. Until a patch is confirmed and applied, consider restricting network access to vulnerable Java services and avoid running untrusted code in sandboxed Java environments.
CVE-2026-34282: Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. in Oracle Corporation Oracle Java SE
Description
CVE-2026-34282 is a high-severity vulnerability affecting multiple versions of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. It allows an unauthenticated attacker with network access via multiple protocols to cause a hang or frequent crash, resulting in a denial of service (DoS). The vulnerability arises from the networking component and can be exploited through APIs, including via web services that supply data to these APIs. It also affects Java deployments running sandboxed Java Web Start applications or applets that load untrusted code relying on the Java sandbox. The CVSS 3. 1 base score is 7. 5, indicating a high impact on availability without affecting confidentiality or integrity. Oracle has published a Critical Patch Update advisory referencing this vulnerability but does not explicitly confirm patch availability or remediation status for this specific CVE in the provided advisory content.
CVSS v3.1
Score 7.5high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-34282) exists in the networking component of Oracle Java SE and Oracle GraalVM products. It is easily exploitable by unauthenticated attackers with network access via multiple protocols. Exploitation can cause the affected Java runtimes to hang or crash repeatedly, resulting in a complete denial of service. The vulnerability can be triggered through APIs, including web services that interact with these APIs, and affects sandboxed Java Web Start applications and applets that execute untrusted code relying on the Java sandbox. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) confirms network attack vector, low attack complexity, no privileges or user interaction required, and high impact on availability only. The affected versions include Oracle Java SE 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK 17.0.18 and 21.0.10; and Oracle GraalVM Enterprise Edition 21.3.17. Oracle’s April 2026 Critical Patch Update advisory references multiple patches but does not explicitly state patch availability for this CVE.
Potential Impact
Successful exploitation results in an unauthorized ability to cause a hang or frequent crash of Oracle Java SE and Oracle GraalVM runtimes, leading to a complete denial of service (DoS). There is no impact on confidentiality or integrity. The vulnerability can be exploited remotely without authentication or user interaction, making it a significant availability risk for affected systems running vulnerable versions.
Mitigation Recommendations
Oracle’s April 2026 Critical Patch Update advisory references multiple security patches across products, including Oracle Java SE. However, the advisory does not explicitly confirm patch availability or remediation status for CVE-2026-34282. Therefore, patch status is not yet confirmed—check the Oracle advisory at https://www.oracle.com/security-alerts/cpuapr2026.html for the latest remediation guidance. Oracle strongly recommends applying Critical Patch Updates promptly to mitigate known vulnerabilities. Until a patch is confirmed and applied, consider restricting network access to vulnerable Java services and avoid running untrusted code in sandboxed Java environments.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- oracle
- Date Reserved
- 2026-03-26T19:48:45.676Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://www.oracle.com/security-alerts/cpuapr2026.html","vendor":"Oracle"}]
Threat ID: 69e7e5a419fe3cd2cdf9f87f
Added to database: 4/21/2026, 9:01:24 PM
Last enriched: 4/29/2026, 11:17:56 AM
Last updated: 6/6/2026, 5:56:01 AM
Views: 144
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.