CVE-2026-22016

HighRCE

Published: 21 April 2026

Published

21 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0012 30.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22016 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Oracle Jre. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring timely identification, reporting, and remediation of flaws, including application of Oracle's Critical Patch Update patches for affected Java SE and GraalVM versions.

CM-6 Configuration Settings good match

prevent

Enforces secure baseline configuration settings for the Java runtime and JAXP component to disable unsafe features such as external entity processing or untrusted deserialization that could be exploited.

SI-10 Information Input Validation partial match

prevent

Validates untrusted network inputs supplied to JAXP APIs via web services or sandboxed applications to block malformed data that triggers the information disclosure vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Direct remote unauthenticated exploitation of a network-accessible Java JAXP API (often via web service) leading to sensitive data disclosure matches initial access via public-facing application exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM…

for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Deeper analysisAI

CVE-2026-22016 is a vulnerability in the JAXP component of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. Affected versions include Oracle Java SE 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, and 26; Oracle GraalVM for JDK 17.0.18 and 21.0.10; and Oracle GraalVM Enterprise Edition 21.3.17. The issue, associated with CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-502 (Deserialization of Untrusted Data), has a CVSS 3.1 base score of 7.5 (High) with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating high confidentiality impact with no integrity or availability effects.

An unauthenticated attacker with network access via multiple protocols can easily exploit this vulnerability. Exploitation occurs through APIs in the JAXP component, such as via a web service supplying data to the APIs. It also affects Java deployments like clients running sandboxed Java Web Start applications or sandboxed Java applets that load and run untrusted code from the internet while relying on the Java sandbox for security. Successful attacks result in unauthorized access to critical data or complete access to all data accessible by the affected Oracle Java SE, Oracle GraalVM for JDK, or Oracle GraalVM Enterprise Edition products.

Oracle's Critical Patch Update for April 2026, detailed at https://www.oracle.com/security-alerts/cpuapr2026.html, addresses this vulnerability with patches for the supported affected versions. Security practitioners should apply these updates promptly to mitigate the risk.

Details

CWE(s): CWE-200 CWE-502

Affected Products

oracle

jre

1.8.0, 11.0.30, 17.0.18, 21.0.10, 25.0.2

oracle

jdk

1.8.0, 11.0.30, 17.0.18, 21.0.10, 25.0.2

oracle

graalvm

21.3.17

oracle

graalvm for jdk

17.0.18, 21.0.10

CVEs Like This One

CVE-2025-50106Same product: Oracle Graalvm

CVE-2026-21932Same product: Oracle Graalvm

CVE-2026-34282Same product: Oracle Graalvm

CVE-2025-50059Same product: Oracle Graalvm

CVE-2025-30749Same product: Oracle Graalvm

CVE-2026-21945Same product: Oracle Graalvm

CVE-2026-34305Same vendor: Oracle

CVE-2026-34297Same vendor: Oracle

CVE-2026-21940Same vendor: Oracle

CVE-2025-50105Same vendor: Oracle

References

https://www.oracle.com/security-alerts/cpuapr2026.html
Vendor Advisory · secalert_us@oracle.com