CVE-2026-22018
Received Received - Intake
Partial DoS via API Vulnerability in Oracle Java SE Libraries

Publication date: 2026-04-21

Last updated on: 2026-04-27

Assigner: Oracle

Description
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-27
Generated
2026-05-07
AI Q&A
2026-04-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-22018
Affected Vendors & Products
Showing 19 associated CPEs
Vendor Product Version / Range
oracle jre 1.8.0
oracle jre 1.8.0
oracle jre 1.8.0
oracle jre 11.0.30
oracle jre 17.0.18
oracle jre 21.0.10
oracle jre 25.0.2
oracle jre 26
oracle jdk 1.8.0
oracle jdk 1.8.0
oracle jdk 1.8.0
oracle jdk 11.0.30
oracle jdk 17.0.18
oracle jdk 21.0.10
oracle jdk 25.0.2
oracle jdk 26
oracle graalvm 21.3.17
oracle graalvm_for_jdk 17.0.18
oracle graalvm_for_jdk 21.0.10
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition, specifically in the Libraries component. It affects multiple supported versions of these products.

The vulnerability is difficult to exploit but allows an unauthenticated attacker with network access via multiple protocols to compromise these Oracle products.

Exploitation can occur through APIs in the affected component, such as via a web service supplying data to these APIs. It also applies to Java deployments running sandboxed Java Web Start applications or sandboxed Java applets that load and run untrusted code from the internet and rely on the Java sandbox for security.


How can this vulnerability impact me? :

Successful exploitation of this vulnerability can result in an unauthorized ability to cause a partial denial of service (partial DOS) on Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition.

This means that an attacker could disrupt the availability of these Java environments, potentially affecting applications and services that depend on them.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart