CVE-2022-21360 in Java SE
Summary
by MITRE • 01/19/2022
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: ImageIO). Supported versions that are affected are Oracle Java SE: 7u321, 8u311, 11.0.13, 17.0.1; Oracle GraalVM Enterprise Edition: 20.3.4 and 21.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/28/2026
The vulnerability identified as CVE-2022-21360 resides within the Oracle Java SE and Oracle GraalVM Enterprise Edition image processing components, specifically affecting the ImageIO functionality. This flaw manifests in multiple supported versions including Java SE 7u321, 8u311, 11.0.13, and 17.01, alongside GraalVM Enterprise Edition versions 20.3.4 and 21.3.0. The vulnerability's classification as easily exploitable indicates that attackers can leverage network-based attacks without requiring authentication, making it particularly dangerous in environments where Java applications process untrusted data from external sources.
The technical nature of this vulnerability stems from insufficient input validation within the ImageIO component, which processes various image formats including but not limited to jpeg, png, and gif. When Java applications encounter malformed image data through network protocols, the vulnerable ImageIO implementation fails to properly handle the malformed input, potentially leading to resource exhaustion or memory corruption. This flaw operates at the core of Java's image processing pipeline and can be triggered through multiple attack vectors including web services, Java applets, or Java Web Start applications that utilize the affected APIs. The vulnerability's CVSS score of 5.3 reflects its availability impact with a low attack complexity and no required privileges, making it accessible to a broad range of threat actors.
The operational impact of this vulnerability extends beyond simple denial of service conditions, as it can compromise the availability of Java applications and systems running affected versions. Attackers can exploit this weakness to create partial denial of service scenarios that may disrupt legitimate application functionality, particularly in environments where Java applications are heavily dependent on image processing capabilities. The vulnerability's applicability to sandboxed environments is particularly concerning as it demonstrates how even restricted execution contexts can be compromised when applications load untrusted image data. Systems that rely on Java for web services, image processing applications, or client-side applications using Java applets are at significant risk when these components are exposed to untrusted data sources.
Mitigation strategies for CVE-2022-21360 should prioritize immediate patching of affected Oracle Java SE and GraalVM Enterprise Edition installations to the latest supported versions. Organizations should implement network segmentation and access controls to limit exposure of Java applications to untrusted network traffic, particularly when these applications process image data from external sources. The principle of least privilege should be enforced by ensuring that Java applications running in sandboxed environments have minimal necessary permissions and that image processing capabilities are properly restricted. Security monitoring should include detection of anomalous image processing activities and memory usage patterns that may indicate exploitation attempts. Additionally, organizations should consider implementing application whitelisting controls and disabling unnecessary image format support in Java applications to reduce the attack surface. This vulnerability aligns with CWE-129, Input Validation, and maps to ATT&CK technique T1203, Exploitation for Client Execution, highlighting the importance of both input validation and client-side attack prevention measures in securing Java-based applications.