CVE-2026-22003
Received Received - Intake
Privilege Escalation and DoS in Oracle Java SE Hotspot

Publication date: 2026-04-21

Last updated on: 2026-04-24

Assigner: Oracle

Description
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u481 and 8u481-b50; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 6.0 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-24
Generated
2026-05-07
AI Q&A
2026-04-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-22003
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
oracle graalvm 21.3.17
oracle jdk 1.8.0
oracle jre 1.8.0
oracle jdk 1.8.0
oracle jre 1.8.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Oracle Java SE and Oracle GraalVM Enterprise Edition, specifically in the Hotspot component. It affects certain supported versions such as Oracle Java SE 8u481 and Oracle GraalVM Enterprise Edition 21.3.17.

The vulnerability is difficult to exploit and requires a low privileged attacker who has logon access to the infrastructure where these products run. Additionally, successful exploitation requires human interaction from someone other than the attacker.

If exploited, the attacker can gain unauthorized ability to create, delete, or modify critical data or any data accessible by Oracle Java SE or Oracle GraalVM Enterprise Edition. The attacker can also cause the software to hang or crash repeatedly, resulting in a denial of service.

This vulnerability mainly applies to Java deployments running sandboxed Java Web Start applications or sandboxed Java applets that load and run untrusted code from the internet and rely on the Java sandbox for security. It does not apply to server deployments that run only trusted code installed by an administrator.


How can this vulnerability impact me? :

If exploited, this vulnerability can allow an attacker with limited privileges and access to your infrastructure to:

  • Unauthorized creation, deletion, or modification of critical or accessible data within Oracle Java SE or Oracle GraalVM Enterprise Edition.
  • Cause the affected software to hang or crash repeatedly, leading to a complete denial of service.

However, exploitation is difficult and requires human interaction from a person other than the attacker.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart