CVE-2026-34282

High

Published: 21 April 2026

Published

21 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0005 14.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34282 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Oracle Jre. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the specific flaw in the Java Networking component through application of Oracle's Critical Patch Update patches for affected versions.

SC-5 Denial-of-service Protection good match

preventdetect

Implements denial-of-service protections tailored to limit the effects of unauthenticated network-based resource exhaustion attacks causing hangs or crashes.

SI-10 Information Input Validation partial match

prevent

Validates inputs supplied to Networking APIs via web services or untrusted code to mitigate uncontrolled resource consumption leading to DoS.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Vulnerability enables direct exploitation of Java networking APIs to cause resource exhaustion leading to application/system crash and DoS, mapping to T1499.004 Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK:…

17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Deeper analysisAI

CVE-2026-34282 is a vulnerability in the Networking component of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. The affected versions are Oracle Java SE 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, and 26; Oracle GraalVM for JDK 17.0.18 and 21.0.10; and Oracle GraalVM Enterprise Edition 21.3.17. This issue, associated with CWE-400 (Uncontrolled Resource Consumption), carries a CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to availability impacts.

An unauthenticated attacker with network access via multiple protocols can easily exploit this vulnerability to compromise the affected products. Successful exploitation results in unauthorized ability to cause a hang or frequently repeatable crash, leading to a complete denial of service (DoS). The vulnerability can be triggered by using APIs in the Networking component, for example through a web service supplying data to the APIs, and it also applies to Java deployments such as clients running sandboxed Java Web Start applications or sandboxed Java applets that load and run untrusted code from the internet while relying on the Java sandbox for security.

Oracle details this vulnerability and provides patches in their Critical Patch Update for April 2026, available at https://www.oracle.com/security-alerts/cpuapr2026.html. Security practitioners should apply the relevant updates to supported versions to mitigate the risk of DoS attacks.

Details

CWE(s): CWE-400

Affected Products

oracle

jre

1.8.0, 11.0.30, 17.0.18, 21.0.10, 25.0.2

oracle

jdk

1.8.0, 11.0.30, 17.0.18, 21.0.10, 25.0.2

oracle

graalvm

21.3.17

oracle

graalvm for jdk

17.0.18, 21.0.10

CVEs Like This One

CVE-2026-21945Same product: Oracle Graalvm

CVE-2026-34290Same vendor: Oracle

CVE-2026-21932Same product: Oracle Graalvm

CVE-2025-21549Same vendor: Oracle

CVE-2025-30749Same product: Oracle Graalvm

CVE-2026-22016Same product: Oracle Graalvm

CVE-2025-50106Same product: Oracle Graalvm

CVE-2025-50059Same product: Oracle Graalvm

CVE-2025-21547Same vendor: Oracle

CVE-2025-21521Same vendor: Oracle

References

https://www.oracle.com/security-alerts/cpuapr2026.html
Vendor Advisory · secalert_us@oracle.com