CVE-2026-21945
BaseFortify
Publication date: 2026-01-20
Last updated on: 2026-01-30
Assigner: Oracle
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oracle | graalvm | 21.3.16 |
| oracle | graalvm_for_jdk | 17.0.17 |
| oracle | graalvm_for_jdk | 21.0.9 |
| oracle | jdk | 1.8.0 |
| oracle | jdk | 1.8.0 |
| oracle | jdk | 1.8.0 |
| oracle | jdk | 11.0.29 |
| oracle | jdk | 17.0.17 |
| oracle | jdk | 21.0.9 |
| oracle | jdk | 25.0.1 |
| oracle | jre | 1.8.0 |
| oracle | jre | 1.8.0 |
| oracle | jre | 1.8.0 |
| oracle | jre | 11.0.29 |
| oracle | jre | 17.0.17 |
| oracle | jre | 21.0.9 |
| oracle | jre | 25.0.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability described (CVE-2026-21945) results in a denial of service (DoS) condition by allowing an unauthenticated attacker to cause a hang or crash of affected Oracle Java SE and GraalVM products. It impacts availability but does not affect confidentiality or integrity.
There is no explicit information in the provided context or resources about how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.
However, since the vulnerability impacts availability (CVSS score 7.5, with an availability impact), organizations relying on these Oracle Java components for critical systems may face challenges in meeting availability requirements stipulated by such regulations.
Timely patching as recommended by Oracle is essential to maintain system availability and reduce risk, which indirectly supports compliance with standards that require maintaining system availability and security.
Can you explain this vulnerability to me?
This vulnerability affects Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. It allows an unauthenticated attacker with network access via multiple protocols to cause a hang or repeated crash (denial of service) in these products. It mainly impacts Java deployments that run untrusted code in sandboxed environments, such as Java Web Start applications or applets loaded from the internet. It does not affect server deployments that run only trusted code.
How can this vulnerability impact me? :
The vulnerability can lead to a denial of service (DoS) condition by causing the affected Java applications to hang or crash repeatedly. This can disrupt availability of services or applications relying on these Java environments, especially those running untrusted code in sandboxed contexts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
Oracle strongly recommends the immediate application of the security patches provided in the January 2026 Critical Patch Update to mitigate this vulnerability.
Interim risk mitigation measures may include blocking network protocols required for attacks or restricting user privileges and package access, although these measures may disrupt functionality and are not substitutes for patching.