CVE-2026-22021
Received Received - Intake
Partial DoS via JSSE Vulnerability in Oracle Java SE and GraalVM

Publication date: 2026-04-21

Last updated on: 2026-04-27

Assigner: Oracle

Description
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-27
Generated
2026-05-07
AI Q&A
2026-04-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-22021
Affected Vendors & Products
Showing 19 associated CPEs
Vendor Product Version / Range
oracle jre 1.8.0
oracle jre 1.8.0
oracle jre 1.8.0
oracle jre 11.0.30
oracle jre 17.0.18
oracle jre 21.0.10
oracle jre 25.0.2
oracle jre 26
oracle jdk 1.8.0
oracle jdk 1.8.0
oracle jdk 1.8.0
oracle jdk 11.0.30
oracle jdk 17.0.18
oracle jdk 21.0.10
oracle jdk 25.0.2
oracle jdk 26
oracle graalvm 21.3.17
oracle graalvm_for_jdk 17.0.18
oracle graalvm_for_jdk 21.0.10
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

If exploited, this vulnerability can allow an attacker to cause a partial denial of service on affected Oracle Java SE and GraalVM products. This means that the availability of these services or applications running on these platforms could be disrupted, potentially leading to downtime or degraded performance.


Can you explain this vulnerability to me?

This vulnerability affects Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition, specifically in the JSSE component. It allows an unauthenticated attacker with network access via HTTPS to exploit the system. The attack can be carried out by using APIs in the affected component, such as through a web service supplying data to these APIs. It also impacts Java deployments that run untrusted code in sandboxed environments, like Java Web Start applications or Java applets that rely on the Java sandbox for security.

The vulnerability can lead to a partial denial of service (partial DOS) condition, meaning it can disrupt availability but does not affect confidentiality or integrity.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart