This Red Hat security advisory (RHSA-2026:9254) addresses multiple high-severity vulnerabilities in the java-11-openjdk packages with Extended Lifecycle Support for RHEL 7, 8, and 9. The vulnerabilities include out-of-bounds reads (CVE-2025-66293), heap buffer overflows (CVE-2026-25646), use-after-free leading to arbitrary code execution (CVE-2026-33416), denial of service via buffer overflow (CVE-2026-26740), and information disclosure issues in LIBPNG and GIFLIB components used by OpenJDK. The advisory lists a total of 15 CVEs affecting these packages. Red Hat provides updated packages to remediate these issues and recommends applying the update after previous errata are installed. No CVSS scores are provided in the advisory, but the severity is classified as high.

The vulnerabilities fixed in this update can lead to out-of-bounds memory reads, heap buffer overflows, use-after-free conditions, denial of service, information disclosure, and potentially arbitrary code execution within the Java runtime environment. These issues affect the OpenJDK 11 implementation on Red Hat Enterprise Linux versions 7, 8, and 9. Exploitation could compromise the confidentiality, integrity, and availability of affected systems running vulnerable versions of OpenJDK 11. No known exploits in the wild have been reported at the time of this advisory.

Red Hat has released updated java-11-openjdk packages with Extended Lifecycle Support for RHEL 7, 8, and 9 that address these vulnerabilities. Users should apply these updates promptly after ensuring all previously released errata relevant to their systems have been installed. Detailed instructions for applying the update are available in the Red Hat advisory. Since this is an official Red Hat security advisory with fixes available, applying the vendor-provided updates is the recommended mitigation.