CVE-2026-22008
Received Received - Intake
Integrity Vulnerability in Oracle Java SE Libraries via Network Access

Publication date: 2026-04-21

Last updated on: 2026-04-23

Assigner: Oracle

Description
Vulnerability in Oracle Java SE (component: Libraries). The supported version that is affected is Oracle Java SE: 25.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-22008
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
oracle jdk 25.0.1
oracle jre 25.0.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-250 The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Oracle Java SE version 25.0.1, specifically in its Libraries component. It is a difficult to exploit flaw that allows an unauthenticated attacker with network access through multiple protocols to compromise Oracle Java SE. The vulnerability affects Java deployments that run untrusted code, such as sandboxed Java Web Start applications or sandboxed Java applets that rely on the Java sandbox for security. It does not affect Java deployments that run only trusted code, like those installed by an administrator.

Successful exploitation can result in unauthorized update, insert, or delete access to some of the data accessible by Oracle Java SE.

Impact Analysis

If exploited, this vulnerability can allow an attacker to perform unauthorized modificationsβ€”such as updates, inserts, or deletionsβ€”on data accessible by Oracle Java SE. This could compromise the integrity of the data within affected Java applications that run untrusted code.

However, the vulnerability is rated with a CVSS base score of 3.7, indicating a low to moderate impact primarily on data integrity, and it is difficult to exploit.

Compliance Impact

The vulnerability allows an unauthenticated attacker with network access to perform unauthorized update, insert, or delete operations on some Oracle Java SE accessible data. This unauthorized data modification could potentially impact the integrity of data handled by applications using the affected Java SE version.

However, the provided information does not specify any direct impact on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate this vulnerability, ensure that you do not run untrusted Java Web Start applications or sandboxed Java applets that load untrusted code from the internet.

Avoid using affected Oracle Java SE version 25.0.1 in environments where untrusted code is executed.

Prefer Java deployments that load and run only trusted code installed by an administrator, typically in server environments.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22008. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart