Oracle GraalVM

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Oracle GraalVM.

EOL Dates

Ensure that you are using a supported version of Oracle GraalVM. Here are some end of life, and end of support dates for Oracle GraalVM.

Release	EOL Date	Status
jdk-24	September 16, 2025	EOL Oracle GraalVM jdk-24 became EOL in 2025.
jdk-23	March 18, 2025	EOL Oracle GraalVM jdk-23 became EOL in 2025.
jdk-22	September 17, 2024	EOL Oracle GraalVM jdk-22 became EOL in 2024.
jdk-21	September 30, 2031	Active Oracle GraalVM jdk-21 will become EOL in 6 years (in 2031).
jdk-20	September 19, 2023	EOL Oracle GraalVM jdk-20 became EOL in 2023.
jdk-17	September 30, 2029	Active Oracle GraalVM jdk-17 will become EOL in 4 years (in 2029).
22.3	October 25, 2023	EOL Oracle GraalVM 22.3 became EOL in 2023.
22.2	October 25, 2022	EOL Oracle GraalVM 22.2 became EOL in 2022.
22.1	July 26, 2022	EOL Oracle GraalVM 22.1 became EOL in 2022.
22.0	April 26, 2022	EOL Oracle GraalVM 22.0 became EOL in 2022.
21.3	October 19, 2022	EOL Oracle GraalVM 21.3 became EOL in 2022.
21.2	October 19, 2021	EOL Oracle GraalVM 21.2 became EOL in 2021.
21.1	July 20, 2021	EOL Oracle GraalVM 21.1 became EOL in 2021.
21.0	April 20, 2021	EOL Oracle GraalVM 21.0 became EOL in 2021.
20.3	November 17, 2021	EOL Oracle GraalVM 20.3 became EOL in 2021.
20.2	November 17, 2020	EOL Oracle GraalVM 20.2 became EOL in 2020.
20.1	August 18, 2020	EOL Oracle GraalVM 20.1 became EOL in 2020.
20.0	May 19, 2020	EOL Oracle GraalVM 20.0 became EOL in 2020.
19.3	April 20, 2021	EOL Oracle GraalVM 19.3 became EOL in 2021.

By the Year

In 2025 there have been 15 vulnerabilities in Oracle GraalVM with an average score of 5.8 out of ten. Last year, in 2024 GraalVM had 32 security vulnerabilities published. Right now, GraalVM is on track to have less security vulnerabilities in 2025 than it did last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 1.33.

Year	Vulnerabilities	Average Score
2025	15	5.75
2024	32	4.42
2023	22	4.77
2022	39	5.45
2021	41	6.49
2020	18	7.12
2019	16	7.24

It may take a day or so for new GraalVM vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Oracle GraalVM Security Vulnerabilities

Oracle GraalVM JDK 17.0.16/21.0.8 Compiler: Unauth Read via Network
CVE-2025-61755 3.7 - Low - October 21, 2025

Vulnerability in the Oracle GraalVM for JDK product of Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle GraalVM for JDK: 17.0.16 and 21.0.8. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle GraalVM for JDK accessible data. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

AuthZ

Oracle Java SE 21.0.8 / GraalVM 21.0.8 Vulnerable Libraries: Unauth API Exploit
CVE-2025-61748 3.7 - Low - October 21, 2025

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 21.0.8 and 25; Oracle GraalVM for JDK: 21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Authorization

Oracle JAXP RCE in Java SE and GraalVM
CVE-2025-53066 7.5 - High - October 21, 2025

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and 21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Information Disclosure

Oracle Java SE & GraalVM Security flaw in 8u461/11.0.28/17.0.16/21.0.8
CVE-2025-53057 5.9 - Medium - October 21, 2025

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u461, 8u461-perf, 11.0.28, 17.0.16, 21.0.8, 25; Oracle GraalVM for JDK: 17.0.16 and 21.0.8; Oracle GraalVM Enterprise Edition: 21.3.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

Authorization

Oracle Java SE & GraalVM Scripting Vulnerability (8u451/11.0.27/21.3.14)
CVE-2025-30761 5.9 - Medium - July 15, 2025

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting). Supported versions that are affected are Oracle Java SE: 8u451, 8u451-perf and 11.0.27; Oracle GraalVM Enterprise Edition: 21.3.14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

Marshaling, Unmarshaling

Oracle GraalVM for JDK 24.0.1 Native Image Partial DoS via HTTP
CVE-2025-50065 3.7 - Low - July 15, 2025

Vulnerability in the Oracle GraalVM for JDK product of Oracle Java SE (component: Native Image). The supported version that is affected is Oracle GraalVM for JDK: 24.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle GraalVM for JDK. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Unauth. Remote Code Exec in Oracle Java SE 8u451-24.0.1 & GraalVM
CVE-2025-30749 8.1 - High - July 15, 2025

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u451, 8u451-perf, 11.0.27, 17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for JDK: 17.0.15, 21.0.7 and 24.0.1; Oracle GraalVM Enterprise Edition: 21.3.14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in takeover of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Oracle Java SE 24.0.1 / GraalVM 24.0.1 Compiler Unauth Partial DOS
CVE-2025-30752 3.7 - Low - July 15, 2025

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK product of Oracle Java SE (component: Compiler). The supported version that is affected is Oracle Java SE: 24.0.1; Oracle GraalVM for JDK: 24.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Oracle Java SE JSSE TLS Unauth Update/Read via TLS
CVE-2025-30754 4.8 - Medium - July 15, 2025

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u451, 8u451-perf, 11.0.27, 17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for JDK: 17.0.15, 21.0.7 and 24.0.1; Oracle GraalVM Enterprise Edition: 21.3.14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Authorization

Oracle Java SE/GraalVM Networking CVE-2025-50059: Unauth Remote Exploit
CVE-2025-50059 8.6 - High - July 15, 2025

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u451-perf, 11.0.27, 17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for JDK: 17.0.15, 21.0.7 and 24.0.1; Oracle GraalVM Enterprise Edition: 21.3.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. While the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 8.6 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N).

Authorization

Oracle Java SE & GraalVM 2D API RCE (CVE-2025-50106)
CVE-2025-50106 8.1 - High - July 15, 2025

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u451, 8u451-perf, 11.0.27, 17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for JDK: 17.0.15, 21.0.7 and 24.0.1; Oracle GraalVM Enterprise Edition: 21.3.14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in takeover of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Oracle Java SE 21.0.6/24 Compiler: Unauthenticated Network Remote Access
CVE-2025-30691 4.8 - Medium - April 15, 2025

Vulnerability in Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle Java SE: 21.0.6, 24; Oracle GraalVM for JDK: 21.0.6 and 24. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data as well as unauthorized read access to a subset of Oracle Java SE accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Authorization

Oracle Java SE 2D CVE-2025-30698: Unauth Remote Exploit (v8u441+)
CVE-2025-30698 5.6 - Medium - April 15, 2025

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM for JDK: 17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise Edition: 20.3.17 and 21.3.13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L).

Authorization

Oracle Java SE & GraalVM JSSE Remote Code Exec Before 24
CVE-2025-21587 7.4 - High - April 15, 2025

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE:8u441, 8u441-perf, 11.0.26, 17.0.14, 21.0.6, 24; Oracle GraalVM for JDK:17.0.14, 21.0.6, 24; Oracle GraalVM Enterprise Edition:20.3.17 and 21.3.13. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Authorization

Oracle GraalVM JDK Hotspot CVE-2025-21502: Unauth Data Access (8u431-23.0.1)
CVE-2025-21502 4.8 - Medium - January 21, 2025

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM Enterprise Edition: 20.3.16 and 21.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Oracle Java SE Compiler 23 Vulnerability: Remote Access Exploit
CVE-2024-21211 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle Java SE: 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Partial DoS via Oracle Java SE Networking (before 8u421/11.0.24)
CVE-2024-21208 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Side Channel Attack

Hotspot CVE-2024-21235: Unauth Data Access in Oracle Java SE 8u421+
CVE-2024-21235 4.8 - Medium - October 15, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Oracle Java & GraalVM Serialization Partial DOS (v8u421-v8u421perf,11.0.2423)
CVE-2024-21217 3.7 - Low - October 15, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Marshaling, Unmarshaling

Concurrency Flaw Allowing Partial DoS in Oracle Java SE 8u411 & 11.0.23
CVE-2024-21144 3.7 - Low - July 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Unauthenticated 2D API Data Leak in Oracle Java SE (8u41121.0.3)
CVE-2024-21145 4.8 - Medium - July 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Oracle Java SE Hotspot DoS CVE-2024-21138 (8u411-22.0.1)
CVE-2024-21138 3.7 - Low - July 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Oracle Java SE / GraalVM Hotspot RCE via API, before 21.0.3
CVE-2024-21131 3.7 - Low - July 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Unauthenticated Remote Exploit via Hotspot in Oracle Java SE 8u411, 11.0.23
CVE-2024-21147 7.4 - High - July 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

HotSpot RCE in Oracle Java SE 8u411/11.0.23/17.0.11 (CVE-2024-21140)
CVE-2024-21140 4.8 - Medium - July 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM for JDK: 17.0.11, 21.0.3, 22.0.1; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Unauthenticated Partial DoS via Concurrency API in Oracle Java SE 8/11 & GraalVM
CVE-2024-21085 - April 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Oracle Java SE Networking CVE-2024-21012 (11.0.22,17.0.10,21.0.2,22)
CVE-2024-21012 3.7 - Low - April 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Oracle GraalVM JDK 17.0.10/21.0.2/22 & EE 20.3.13/21.3.9 Unauth Remote Read
CVE-2024-20954 - April 16, 2024

Vulnerability in the Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

Oracle JavaFX Vulnerability (8u401, 20.3.13/21.3.9) UI Interaction Required
CVE-2024-21003 3.1 - Low - April 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u401; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).

Hotspot RCE in Oracle Java SE 8u401-22, GraalVM 17.0.10-22
CVE-2024-21068 3.7 - Low - April 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2 and 22; Oracle GraalVM Enterprise Edition: 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Oracle JavaFX CVE-2024-21005 Java 8u401 & GraalVM 20.3.13/21.3.9
CVE-2024-21005 3.1 - Low - April 16, 2024

"Oracle GraalVM for JDK 17.0.10-22 Partial DOS Vulnerability"
CVE-2024-21098 3.7 - Low - April 16, 2024

Vulnerability in the Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Oracle Java SE & GraalVM Hotspot DoS 8u401, 11.0.22, 17.0.10, 21.0.2, 22
CVE-2024-21011 3.7 - Low - April 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).

Oracle JavaFX Integrity Bypass in Java SE 8u401, GraalVM 20.3.13/21.3.9
CVE-2024-21004 - April 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u401; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 2.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).

Oracle Java SE/GraalVM JavaFX CVE-2024-21002 (v8u401, 20.3.13, 21.3.9)
CVE-2024-21002 2.5 - Low - April 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u401; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 2.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).

Oracle Java SE Hotspot RCE via API 8u401, 11.0.22, 17.0.10, 21.0.2, 22
CVE-2024-21094 3.7 - Low - April 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

CVE-2024-20921: Oracle Java SE Hotspot RCE 8u391-21.0.1
CVE-2024-20921 5.9 - Medium - February 17, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

Incorrect Default Permissions

Oracle Java SE & GraalVM Security flaw Pre-8u391/11.0.21/17.0.9 LPriv API
CVE-2024-20945 4.7 - Medium - February 17, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N).

Oracle Java SE Hotspot Integrity Flaw < 8u391, 11.0.21, 17.0.9, 21.0.1
CVE-2024-20919 5.9 - Medium - February 17, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

Oracle Java SE 8u391, GraalVM EE 20.3.12/21.3.8: JavaFX CVE-2024-20923
CVE-2024-20923 3.1 - Low - February 17, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u391; Oracle GraalVM Enterprise Edition: 20.3.12 and 21.3.8. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).

Protection Mechanism Failure

Oracle Java 8u391: JavaFX Exploit CVE-2024-20925
CVE-2024-20925 3.1 - Low - February 17, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u391; Oracle GraalVM Enterprise Edition: 20.3.12 and 21.3.8. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).

Oracle Java SE Hotspot CVE-2024-20918 Affects 8u39122.3.4
CVE-2024-20918 7.4 - High - January 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Authorization

Unauth Exploit: JavaFX in Java SE 8u391 & GraalVM EE 20.3.12/21.3.8
CVE-2024-20922 2.5 - Low - January 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u391; Oracle GraalVM Enterprise Edition: 20.3.12 and 21.3.8. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 2.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).

Privilege Escalation in Oracle Java SE 8u391/11.0.21 & GraalVM Scripting
CVE-2024-20926 5.9 - Medium - January 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

Marshaling, Unmarshaling

Oracle Java SE 17.0.9 Vulnerability: Unauth Remote Exploitation via Security
CVE-2024-20932 7.5 - High - January 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 17.0.9; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 21.3.8 and 22.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Oracle Java SE Unauthorized RCE via Security Component (v8u391+)
CVE-2024-20952 7.4 - High - January 16, 2024

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1; Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

Dangling pointer

Confidentiality Impact: GraalVM Compiler Vulnerability (17.0.9,21.0.1)
CVE-2024-20955 3.7 - Low - January 16, 2024

Vulnerability in the Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle GraalVM for JDK: 17.0.9, 21.0.1; Oracle GraalVM Enterprise Edition: 20.3.12, 21.3.8 and 22.3.4. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).

Hotspot Vulnerability in Oracle Java SE 8u381-perf, 17.0.8, 21 (CVE-2023-22025)
CVE-2023-22025 3.7 - Low - October 17, 2023

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u381-perf, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 21.3.7 and 22.3.3. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition,. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).

Oracle GraalVM (Comp) v17.0.8/21 & v20.3.11/21.3.7/22.3.3 Unauth Data Access
CVE-2023-22091 4.8 - Medium - October 17, 2023

Vulnerability in the Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Compiler). Supported versions that are affected are Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 20.3.11, 21.3.7 and 22.3.3. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Oracle Java SE & GraalVM JSSE Partial DoS via HTTPS before 8u381
CVE-2023-22081 5.3 - Medium - October 17, 2023

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf, 11.0.20, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition: 20.3.11, 21.3.7 and 22.3.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Oracle GraalVM or by Oracle? Click the Watch button to subscribe.

Oracle
Vendor

Oracle GraalVM
Product

Oracle GraalVM

Don't miss out!

EOL Dates

By the Year

Recent Oracle GraalVM Security Vulnerabilities

Oracle GraalVM JDK 17.0.16/21.0.8 Compiler: Unauth Read via Network CVE-2025-61755 3.7 - Low - October 21, 2025

Oracle Java SE 21.0.8 / GraalVM 21.0.8 Vulnerable Libraries: Unauth API Exploit CVE-2025-61748 3.7 - Low - October 21, 2025

Oracle JAXP RCE in Java SE and GraalVM CVE-2025-53066 7.5 - High - October 21, 2025

Oracle Java SE & GraalVM Security flaw in 8u461/11.0.28/17.0.16/21.0.8 CVE-2025-53057 5.9 - Medium - October 21, 2025

Oracle Java SE & GraalVM Scripting Vulnerability (8u451/11.0.27/21.3.14) CVE-2025-30761 5.9 - Medium - July 15, 2025

Oracle GraalVM for JDK 24.0.1 Native Image Partial DoS via HTTP CVE-2025-50065 3.7 - Low - July 15, 2025

Unauth. Remote Code Exec in Oracle Java SE 8u451-24.0.1 & GraalVM CVE-2025-30749 8.1 - High - July 15, 2025

Oracle Java SE 24.0.1 / GraalVM 24.0.1 Compiler Unauth Partial DOS CVE-2025-30752 3.7 - Low - July 15, 2025

Oracle Java SE JSSE TLS Unauth Update/Read via TLS CVE-2025-30754 4.8 - Medium - July 15, 2025

Oracle Java SE/GraalVM Networking CVE-2025-50059: Unauth Remote Exploit CVE-2025-50059 8.6 - High - July 15, 2025

Oracle Java SE & GraalVM 2D API RCE (CVE-2025-50106) CVE-2025-50106 8.1 - High - July 15, 2025

Oracle Java SE 21.0.6/24 Compiler: Unauthenticated Network Remote Access CVE-2025-30691 4.8 - Medium - April 15, 2025

Oracle Java SE 2D CVE-2025-30698: Unauth Remote Exploit (v8u441+) CVE-2025-30698 5.6 - Medium - April 15, 2025

Oracle Java SE & GraalVM JSSE Remote Code Exec Before 24 CVE-2025-21587 7.4 - High - April 15, 2025

Oracle GraalVM JDK Hotspot CVE-2025-21502: Unauth Data Access (8u431-23.0.1) CVE-2025-21502 4.8 - Medium - January 21, 2025

Oracle Java SE Compiler 23 Vulnerability: Remote Access Exploit CVE-2024-21211 3.7 - Low - October 15, 2024

Partial DoS via Oracle Java SE Networking (before 8u421/11.0.24) CVE-2024-21208 3.7 - Low - October 15, 2024

Hotspot CVE-2024-21235: Unauth Data Access in Oracle Java SE 8u421+ CVE-2024-21235 4.8 - Medium - October 15, 2024

Oracle Java & GraalVM Serialization Partial DOS (v8u421-v8u421perf,11.0.2423) CVE-2024-21217 3.7 - Low - October 15, 2024

Concurrency Flaw Allowing Partial DoS in Oracle Java SE 8u411 & 11.0.23 CVE-2024-21144 3.7 - Low - July 16, 2024

Unauthenticated 2D API Data Leak in Oracle Java SE (8u41121.0.3) CVE-2024-21145 4.8 - Medium - July 16, 2024

Oracle Java SE Hotspot DoS CVE-2024-21138 (8u411-22.0.1) CVE-2024-21138 3.7 - Low - July 16, 2024

Oracle Java SE / GraalVM Hotspot RCE via API, before 21.0.3 CVE-2024-21131 3.7 - Low - July 16, 2024

Unauthenticated Remote Exploit via Hotspot in Oracle Java SE 8u411, 11.0.23 CVE-2024-21147 7.4 - High - July 16, 2024

HotSpot RCE in Oracle Java SE 8u411/11.0.23/17.0.11 (CVE-2024-21140) CVE-2024-21140 4.8 - Medium - July 16, 2024

Unauthenticated Partial DoS via Concurrency API in Oracle Java SE 8/11 & GraalVM CVE-2024-21085 - April 16, 2024

Oracle Java SE Networking CVE-2024-21012 (11.0.22,17.0.10,21.0.2,22) CVE-2024-21012 3.7 - Low - April 16, 2024

Oracle GraalVM JDK 17.0.10/21.0.2/22 & EE 20.3.13/21.3.9 Unauth Remote Read CVE-2024-20954 - April 16, 2024

Oracle JavaFX Vulnerability (8u401, 20.3.13/21.3.9) UI Interaction Required CVE-2024-21003 3.1 - Low - April 16, 2024

Hotspot RCE in Oracle Java SE 8u401-22, GraalVM 17.0.10-22 CVE-2024-21068 3.7 - Low - April 16, 2024

Oracle JavaFX CVE-2024-21005 Java 8u401 & GraalVM 20.3.13/21.3.9 CVE-2024-21005 3.1 - Low - April 16, 2024

"Oracle GraalVM for JDK 17.0.10-22 Partial DOS Vulnerability" CVE-2024-21098 3.7 - Low - April 16, 2024

Oracle Java SE & GraalVM Hotspot DoS 8u401, 11.0.22, 17.0.10, 21.0.2, 22 CVE-2024-21011 3.7 - Low - April 16, 2024

Oracle JavaFX Integrity Bypass in Java SE 8u401, GraalVM 20.3.13/21.3.9 CVE-2024-21004 - April 16, 2024

Oracle Java SE/GraalVM JavaFX CVE-2024-21002 (v8u401, 20.3.13, 21.3.9) CVE-2024-21002 2.5 - Low - April 16, 2024

Oracle Java SE Hotspot RCE via API 8u401, 11.0.22, 17.0.10, 21.0.2, 22 CVE-2024-21094 3.7 - Low - April 16, 2024

CVE-2024-20921: Oracle Java SE Hotspot RCE 8u391-21.0.1 CVE-2024-20921 5.9 - Medium - February 17, 2024

Oracle Java SE & GraalVM Security flaw Pre-8u391/11.0.21/17.0.9 LPriv API CVE-2024-20945 4.7 - Medium - February 17, 2024

Oracle Java SE Hotspot Integrity Flaw < 8u391, 11.0.21, 17.0.9, 21.0.1 CVE-2024-20919 5.9 - Medium - February 17, 2024

Oracle Java SE 8u391, GraalVM EE 20.3.12/21.3.8: JavaFX CVE-2024-20923 CVE-2024-20923 3.1 - Low - February 17, 2024

Oracle Java 8u391: JavaFX Exploit CVE-2024-20925 CVE-2024-20925 3.1 - Low - February 17, 2024

Oracle Java SE Hotspot CVE-2024-20918 Affects 8u39122.3.4 CVE-2024-20918 7.4 - High - January 16, 2024

Unauth Exploit: JavaFX in Java SE 8u391 & GraalVM EE 20.3.12/21.3.8 CVE-2024-20922 2.5 - Low - January 16, 2024

Privilege Escalation in Oracle Java SE 8u391/11.0.21 & GraalVM Scripting CVE-2024-20926 5.9 - Medium - January 16, 2024

Oracle Java SE 17.0.9 Vulnerability: Unauth Remote Exploitation via Security CVE-2024-20932 7.5 - High - January 16, 2024

Oracle Java SE Unauthorized RCE via Security Component (v8u391+) CVE-2024-20952 7.4 - High - January 16, 2024

Confidentiality Impact: GraalVM Compiler Vulnerability (17.0.9,21.0.1) CVE-2024-20955 3.7 - Low - January 16, 2024

Hotspot Vulnerability in Oracle Java SE 8u381-perf, 17.0.8, 21 (CVE-2023-22025) CVE-2023-22025 3.7 - Low - October 17, 2023

Oracle GraalVM (Comp) v17.0.8/21 & v20.3.11/21.3.7/22.3.3 Unauth Data Access CVE-2023-22091 4.8 - Medium - October 17, 2023

Oracle Java SE & GraalVM JSSE Partial DoS via HTTPS before 8u381 CVE-2023-22081 5.3 - Medium - October 17, 2023

Stay on top of Security Vulnerabilities

OracleVendor

Oracle GraalVMProduct

Oracle GraalVM JDK 17.0.16/21.0.8 Compiler: Unauth Read via Network
CVE-2025-61755 3.7 - Low - October 21, 2025

Oracle Java SE 21.0.8 / GraalVM 21.0.8 Vulnerable Libraries: Unauth API Exploit
CVE-2025-61748 3.7 - Low - October 21, 2025

Oracle JAXP RCE in Java SE and GraalVM
CVE-2025-53066 7.5 - High - October 21, 2025

Oracle Java SE & GraalVM Security flaw in 8u461/11.0.28/17.0.16/21.0.8
CVE-2025-53057 5.9 - Medium - October 21, 2025

Oracle Java SE & GraalVM Scripting Vulnerability (8u451/11.0.27/21.3.14)
CVE-2025-30761 5.9 - Medium - July 15, 2025

Oracle GraalVM for JDK 24.0.1 Native Image Partial DoS via HTTP
CVE-2025-50065 3.7 - Low - July 15, 2025

Unauth. Remote Code Exec in Oracle Java SE 8u451-24.0.1 & GraalVM
CVE-2025-30749 8.1 - High - July 15, 2025

Oracle Java SE 24.0.1 / GraalVM 24.0.1 Compiler Unauth Partial DOS
CVE-2025-30752 3.7 - Low - July 15, 2025

Oracle Java SE JSSE TLS Unauth Update/Read via TLS
CVE-2025-30754 4.8 - Medium - July 15, 2025

Oracle Java SE/GraalVM Networking CVE-2025-50059: Unauth Remote Exploit
CVE-2025-50059 8.6 - High - July 15, 2025

Oracle Java SE & GraalVM 2D API RCE (CVE-2025-50106)
CVE-2025-50106 8.1 - High - July 15, 2025

Oracle Java SE 21.0.6/24 Compiler: Unauthenticated Network Remote Access
CVE-2025-30691 4.8 - Medium - April 15, 2025

Oracle Java SE 2D CVE-2025-30698: Unauth Remote Exploit (v8u441+)
CVE-2025-30698 5.6 - Medium - April 15, 2025

Oracle Java SE & GraalVM JSSE Remote Code Exec Before 24
CVE-2025-21587 7.4 - High - April 15, 2025

Oracle GraalVM JDK Hotspot CVE-2025-21502: Unauth Data Access (8u431-23.0.1)
CVE-2025-21502 4.8 - Medium - January 21, 2025

Oracle Java SE Compiler 23 Vulnerability: Remote Access Exploit
CVE-2024-21211 3.7 - Low - October 15, 2024

Partial DoS via Oracle Java SE Networking (before 8u421/11.0.24)
CVE-2024-21208 3.7 - Low - October 15, 2024

Hotspot CVE-2024-21235: Unauth Data Access in Oracle Java SE 8u421+
CVE-2024-21235 4.8 - Medium - October 15, 2024

Oracle Java & GraalVM Serialization Partial DOS (v8u421-v8u421perf,11.0.2423)
CVE-2024-21217 3.7 - Low - October 15, 2024

Concurrency Flaw Allowing Partial DoS in Oracle Java SE 8u411 & 11.0.23
CVE-2024-21144 3.7 - Low - July 16, 2024

Unauthenticated 2D API Data Leak in Oracle Java SE (8u41121.0.3)
CVE-2024-21145 4.8 - Medium - July 16, 2024

Oracle Java SE Hotspot DoS CVE-2024-21138 (8u411-22.0.1)
CVE-2024-21138 3.7 - Low - July 16, 2024

Oracle Java SE / GraalVM Hotspot RCE via API, before 21.0.3
CVE-2024-21131 3.7 - Low - July 16, 2024

Unauthenticated Remote Exploit via Hotspot in Oracle Java SE 8u411, 11.0.23
CVE-2024-21147 7.4 - High - July 16, 2024

HotSpot RCE in Oracle Java SE 8u411/11.0.23/17.0.11 (CVE-2024-21140)
CVE-2024-21140 4.8 - Medium - July 16, 2024

Unauthenticated Partial DoS via Concurrency API in Oracle Java SE 8/11 & GraalVM
CVE-2024-21085 - April 16, 2024

Oracle Java SE Networking CVE-2024-21012 (11.0.22,17.0.10,21.0.2,22)
CVE-2024-21012 3.7 - Low - April 16, 2024

Oracle GraalVM JDK 17.0.10/21.0.2/22 & EE 20.3.13/21.3.9 Unauth Remote Read
CVE-2024-20954 - April 16, 2024

Oracle JavaFX Vulnerability (8u401, 20.3.13/21.3.9) UI Interaction Required
CVE-2024-21003 3.1 - Low - April 16, 2024

Hotspot RCE in Oracle Java SE 8u401-22, GraalVM 17.0.10-22
CVE-2024-21068 3.7 - Low - April 16, 2024

Oracle JavaFX CVE-2024-21005 Java 8u401 & GraalVM 20.3.13/21.3.9
CVE-2024-21005 3.1 - Low - April 16, 2024

"Oracle GraalVM for JDK 17.0.10-22 Partial DOS Vulnerability"
CVE-2024-21098 3.7 - Low - April 16, 2024

Oracle Java SE & GraalVM Hotspot DoS 8u401, 11.0.22, 17.0.10, 21.0.2, 22
CVE-2024-21011 3.7 - Low - April 16, 2024

Oracle JavaFX Integrity Bypass in Java SE 8u401, GraalVM 20.3.13/21.3.9
CVE-2024-21004 - April 16, 2024

Oracle Java SE/GraalVM JavaFX CVE-2024-21002 (v8u401, 20.3.13, 21.3.9)
CVE-2024-21002 2.5 - Low - April 16, 2024

Oracle Java SE Hotspot RCE via API 8u401, 11.0.22, 17.0.10, 21.0.2, 22
CVE-2024-21094 3.7 - Low - April 16, 2024

CVE-2024-20921: Oracle Java SE Hotspot RCE 8u391-21.0.1
CVE-2024-20921 5.9 - Medium - February 17, 2024

Oracle Java SE & GraalVM Security flaw Pre-8u391/11.0.21/17.0.9 LPriv API
CVE-2024-20945 4.7 - Medium - February 17, 2024

Oracle Java SE Hotspot Integrity Flaw < 8u391, 11.0.21, 17.0.9, 21.0.1
CVE-2024-20919 5.9 - Medium - February 17, 2024

Oracle Java SE 8u391, GraalVM EE 20.3.12/21.3.8: JavaFX CVE-2024-20923
CVE-2024-20923 3.1 - Low - February 17, 2024

Oracle Java 8u391: JavaFX Exploit CVE-2024-20925
CVE-2024-20925 3.1 - Low - February 17, 2024

Oracle Java SE Hotspot CVE-2024-20918 Affects 8u39122.3.4
CVE-2024-20918 7.4 - High - January 16, 2024

Unauth Exploit: JavaFX in Java SE 8u391 & GraalVM EE 20.3.12/21.3.8
CVE-2024-20922 2.5 - Low - January 16, 2024

Privilege Escalation in Oracle Java SE 8u391/11.0.21 & GraalVM Scripting
CVE-2024-20926 5.9 - Medium - January 16, 2024

Oracle Java SE 17.0.9 Vulnerability: Unauth Remote Exploitation via Security
CVE-2024-20932 7.5 - High - January 16, 2024

Oracle Java SE Unauthorized RCE via Security Component (v8u391+)
CVE-2024-20952 7.4 - High - January 16, 2024

Confidentiality Impact: GraalVM Compiler Vulnerability (17.0.9,21.0.1)
CVE-2024-20955 3.7 - Low - January 16, 2024

Hotspot Vulnerability in Oracle Java SE 8u381-perf, 17.0.8, 21 (CVE-2023-22025)
CVE-2023-22025 3.7 - Low - October 17, 2023

Oracle GraalVM (Comp) v17.0.8/21 & v20.3.11/21.3.7/22.3.3 Unauth Data Access
CVE-2023-22091 4.8 - Medium - October 17, 2023

Oracle Java SE & GraalVM JSSE Partial DoS via HTTPS before 8u381
CVE-2023-22081 5.3 - Medium - October 17, 2023

Oracle
Vendor

Oracle GraalVM
Product