CVE-2022-21626 in Java SEinfo

Summary

by MITRE • 10/19/2022

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 05/28/2026

This vulnerability resides within the security component of Oracle Java SE and Oracle GraalVM Enterprise Edition, representing a critical weakness that can be exploited by unauthenticated attackers over network connections using HTTPS protocols. The affected versions include specific releases of Java SE 8 and 11, alongside various GraalVM Enterprise Edition releases from 20.3.7 through 22.2.0, indicating a broad impact across multiple platform versions. The vulnerability's exploitability is classified as easily accessible, meaning that attackers require minimal prerequisites to execute successful attacks, making it particularly dangerous in production environments where these Java components are deployed.

The technical flaw manifests as a partial denial of service condition that can be triggered through network-based attacks, specifically targeting the security mechanisms within Oracle's Java implementations. This vulnerability operates at the availability level of the CIA triad, with a CVSS base score of 5.3 indicating moderate severity, though the potential for service disruption remains significant. The attack vector requires network access via HTTPS, suggesting that even encrypted communications may not adequately protect against this specific vulnerability. The impact is particularly concerning because it affects deployments where Java applications run in sandboxed environments, such as Java Web Start applications or applets that load untrusted code from internet sources.

The operational implications of this vulnerability extend beyond simple service disruption to potentially compromise entire Java-based systems that rely on sandboxed execution environments for security isolation. Systems running Java applications that process data from external sources or expose APIs that utilize the affected components are particularly at risk. The vulnerability's applicability to web services that supply data to APIs within the affected components creates additional attack surface areas where exploitation could occur. Organizations deploying Java applications in client environments or those that depend on Java sandboxing for security containment face significant risk, as the vulnerability essentially undermines the security model that these environments rely upon.

Mitigation strategies should focus on immediate patching of affected Oracle Java SE and GraalVM Enterprise Edition installations, particularly targeting the specific version ranges mentioned in the vulnerability description. System administrators should implement network segmentation and access controls to limit exposure of vulnerable Java components to untrusted networks. Additional protective measures include disabling unnecessary Java applet and Web Start functionality, implementing network monitoring to detect anomalous HTTPS traffic patterns, and conducting comprehensive vulnerability assessments of all Java-based applications and services. The vulnerability's classification under CWE categories related to security bypass and denial of service provides guidance for implementing appropriate defensive controls, while its mapping to ATT&CK techniques for privilege escalation and service disruption helps security teams understand potential attack progression paths. Organizations should also consider implementing application whitelisting policies to prevent execution of untrusted Java code and establish robust patch management processes to ensure timely remediation of similar vulnerabilities in the future.

Responsible

Oracle

Reservation

11/15/2021

Disclosure

10/19/2022

Moderation

accepted

CPE

ready

EPSS

0.01746

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!