CVE-2026-21925

Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

CVSS Details

CVSS Score

4.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:oracle:graalvm:21.3.16:*:*:*:enterprise:*:*:* - VULNERABLE

cpe:2.3:a:oracle:graalvm_for_jdk:17.0.17:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:oracle:graalvm_for_jdk:21.0.9:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:oracle:jdk:1.8.0:update471:*:*:-:*:*:* - VULNERABLE

cpe:2.3:a:oracle:jdk:1.8.0:update471:*:*:enterprise_performance_pack:*:*:* - VULNERABLE

Oracle Java SE 8u471

Oracle Java SE 8u471-b50

Oracle Java SE 8u471-perf

Oracle Java SE 11.0.29

Oracle Java SE 17.0.17

Oracle Java SE 21.0.9

Oracle Java SE 25.0.1

Oracle GraalVM for JDK 17.0.17

Oracle GraalVM for JDK 21.0.9

Oracle GraalVM Enterprise Edition 21.3.16

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import java.rmi.registry.LocateRegistry;
import java.rmi.registry.Registry;
import java.rmi.server.RemoteServer;
import java.net.InetAddress;

/**
 * CVE-2026-21925 PoC - Oracle Java RMI Component Vulnerability
 * Note: This is a conceptual PoC demonstrating RMI service interaction
 * Actual exploitation requires specific vulnerable versions
 */
public class CVE202621925_PoC {
    public static void main(String[] args) {
        try {
            String targetHost = args.length > 0 ? args[0] : "localhost";
            int rmiPort = args.length > 1 ? Integer.parseInt(args[1]) : 1099;
            
            System.out.println("[*] CVE-2026-21925 RMI Vulnerability Check");
            System.out.println("[*] Target: " + targetHost + ":" + rmiPort);
            
            // Attempt to locate RMI registry
            Registry registry = LocateRegistry.getRegistry(targetHost, rmiPort);
            
            // List available bindings
            String[] bindings = registry.list();
            System.out.println("[+] Found " + bindings.length + " RMI bindings");
            
            for (String binding : bindings) {
                System.out.println("  - " + binding);
            }
            
            System.out.println("[*] Note: This PoC only demonstrates RMI service discovery.");
            System.out.println("[*] Actual exploitation requires specific payload crafting.");
            
        } catch (Exception e) {
            System.err.println("[!] Error: " + e.getMessage());
            e.printStackTrace();
        }
    }
}

// Example vulnerable Java code pattern:
// RMI server with vulnerable deserialization
/*
import java.rmi.server.UnicastRemoteObject;
import java.rmi.registry.Registry;
import java.rmi.registry.LocateRegistry;

public class VulnerableRMIServer extends UnicastRemoteObject {
    protected VulnerableRMIServer() throws java.rmi.RemoteException {
        super();
    }
    
    public String processData(java.io.Serializable obj) {
        // Vulnerable: Direct deserialization without validation
        return "Processed: " + obj.toString();
    }
    
    public static void main(String[] args) throws Exception {
        VulnerableRMIServer server = new VulnerableRMIServer();
        Registry registry = LocateRegistry.createRegistry(1099);
        registry.bind("VulnerableService", server);
        System.out.println("Vulnerable RMI Server running...");
    }
}
*/

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21925
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21925
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21925/
[4] VulDB https://vuldb.com/cve/CVE-2026-21925
[5] https://www.oracle.com/security-alerts/cpujan2026.html
[6] https://cert-portal.siemens.com/productcert/html/ssa-032379.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21925", "sourceIdentifier": "[email protected]", "published": "2026-01-20T22:15:54.917", "lastModified": "2026-05-12T13:17:31.180", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)."}, {"lang": "es", "value": "Vulnerabilidad en el producto Oracle Java SE, Oracle GraalVM para JDK, Oracle GraalVM Enterprise Edition de Oracle Java SE (componente: RMI). Las versiones compatibles afectadas son Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM para JDK: 17.0.17 y 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Vulnerabilidad difícil de explotar permite a un atacante no autenticado con acceso de red a través de múltiples protocolos comprometer Oracle Java SE, Oracle GraalVM para JDK, Oracle GraalVM Enterprise Edition. Ataques exitosos de esta vulnerabilidad pueden resultar en acceso no autorizado de actualización, inserción o eliminación a algunos de los datos accesibles de Oracle Java SE, Oracle GraalVM para JDK, Oracle GraalVM Enterprise Edition, así como acceso de lectura no autorizado a un subconjunto de los datos accesibles de Oracle Java SE, Oracle GraalVM para JDK, Oracle GraalVM Enterprise Edition. Nota: Esta vulnerabilidad puede ser explotada utilizando APIs en el Componente especificado, por ejemplo, a través de un servicio web que suministra datos a las APIs. Esta vulnerabilidad también se aplica a implementaciones de Java, típicamente en clientes que ejecutan aplicaciones Java Web Start en sandbox o applets de Java en sandbox, que cargan y ejecutan código no confiable (por ejemplo, código que proviene de internet) y dependen del sandbox de Java para la seguridad. Puntuación Base CVSS 3.1 4.8 (Impactos en la Confidencialidad e Integridad). Vector CVSS: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:graalvm:21.3.16:*:*:*:enterprise:*:*:*", "matchCriteriaId": "625D4829-2E57-4C05-BEFE-CE30F6D16E9B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:17.0.17:*:*:*:*:*:*:*", "matchCriteriaId": "AF0F6A0B-89BB-4851-9DF7-2A6C139DAF47"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:graalvm_for_jdk:21.0.9:*:*:*:*:*:*:*", "matchCriteriaId": "FB4F8E6F-3B7D-49D8-8619-63B23F244AF4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:jdk:1.8.0:update471:*:*:-:*:*:*", "matchCriteriaId": "2905151E-7D6C-4E7C-A371-941EABBF6CC7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:jdk:1.8.0:update471:*:*:enterprise_performance_pack:*:*:*", "matchCriteriaId": "A77BE683-07F2-4A1E-8B62-E104B4866DC3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:jdk:1.8.0:update471_b50:*:*:-:*:*:*", "matchCriteriaId": "3605CFE2-513B-4384-9617-6F4A86DFCEF3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:jdk:11.0.29:*:*:*:*:*:*:*", "matchCriteriaId": ... (truncated)