CVE-2026-21945
Published: 20 January 2026
Summary
CVE-2026-21945 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Oracle Jdk. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 16.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account.
Analysis identifies uncontrolled resource consumption indicative of denial-of-service or abuse attempts.
Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption.
Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption.
Alternate site allows resumption of operations if resource exhaustion at the primary site is exploited to cause unavailability.
Alternate telecommunications services enable resumption of essential functions when primary services become unavailable due to uncontrolled resource consumption.
The team can analyze and respond to resource exhaustion incidents, reducing the impact of attacks that exploit uncontrolled consumption weaknesses.
Timely maintenance support and spare parts enable rapid recovery from failures induced by uncontrolled resource consumption, shortening the impact window of denial-of-service attacks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables application exploitation resulting in endpoint DoS via resource exhaustion.
NVD Description
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for…
more
JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Deeper analysisAI
CVE-2026-21945 is a vulnerability in the Security component of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. Affected versions include Oracle Java SE 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, and 25.0.1; Oracle GraalVM for JDK 17.0.17 and 21.0.9; and Oracle GraalVM Enterprise Edition 21.3.16. Associated with CWE-400 (Uncontrolled Resource Consumption), it carries a CVSS 3.1 base score of 7.5 (High), with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, reflecting high availability impact with no confidentiality or integrity effects.
An unauthenticated attacker with network access via multiple protocols can easily exploit this vulnerability to compromise the affected products. Successful exploitation results in the unauthorized ability to cause a hang or frequently repeatable crash, enabling complete denial-of-service (DoS) against the targeted Java instance. The vulnerability applies specifically to client-side Java deployments, such as those running sandboxed Java Web Start applications or sandboxed Java applets that load and run untrusted code from the internet while relying on the Java sandbox for security; it does not affect server-side deployments that load and run only trusted code.
The Oracle security advisory at https://www.oracle.com/security-alerts/cpujan2026.html details mitigation steps, including patches for the supported affected versions. Security practitioners should review this advisory for updated versions and apply them promptly to vulnerable deployments.
Details
- CWE(s)