Back

Multiple CRaC JDK and OpenJDK Vulnerabilities Discovered

Severity: High (Score: 72.5)

Sources: openjdk.org, Ubuntu

Published: 2026-05-28 · Updated: 2026-05-28

Keywords: crac, vulnerabilities, thomas, beckers, discovered, jaxp, component

Severity indicators: vulnerabilities

Summary

On May 28, 2026, Ubuntu published security notices for vulnerabilities in various Java Development Kits (JDKs). Discovered by Thomas Beckers, these vulnerabilities affect CRaC JDK 25, JDK 21, JDK 17, OpenJDK 11, and OpenJDK 8. Key issues include improper authentication in components like JAXP, JSSE, and Networking, allowing remote unauthenticated attackers to gain unauthorized access to sensitive information or cause denial of service. Specific CVEs include CVE-2026-22016, CVE-2026-34282, and CVE-2026-22021, all published on April 21, 2026. The vulnerabilities pose a significant risk to systems utilizing these JDK versions, necessitating immediate patching by affected users. The current status indicates that users should update their systems to mitigate these risks. Key Points: • Multiple vulnerabilities found in CRaC JDK and OpenJDK versions, affecting authentication. • Remote unauthenticated attackers can exploit these vulnerabilities for unauthorized access. • Immediate patching is required for affected systems to prevent potential exploits.

Detailed Analysis

**Impact** Multiple versions of CRaC JDK (8, 11, 17, 21, 25) and OpenJDK are affected by vulnerabilities allowing remote unauthenticated attackers to gain unauthorized access to sensitive information or cause denial of service. The affected components include JAXP, Networking, JSSE, JGSS, 2D, Libraries, and Security modules. These vulnerabilities pose risks to any organization using these Java Development Kits across sectors relying on Java-based applications globally, potentially exposing sensitive data and disrupting services. **Technical Details** Attack vectors involve exploitation of improper authentication in various APIs, allowing remote unauthenticated attackers to access sensitive information (CVE-2026-22016, CVE-2026-22013) or cause denial of service (CVE-2026-34282, CVE-2026-22021). Integer arithmetic flaws in the 2D component (CVE-2026-23865) may lead to information leakage when opening specially crafted files. Local attacks targeting the Security component (CVE-2026-22007, CVE-2026-34268) can also leak sensitive data. No specific malware, tools, or IOCs were reported. **Recommended Response** Apply the latest security updates for all affected CRaC JDK and OpenJDK versions immediately to remediate the listed CVEs. Harden API authentication mechanisms and monitor for unusual access patterns targeting JAXP, Networking, JSSE, JGSS, and 2D components. Deploy detection rules for anomalous API calls and crafted file openings. In absence of specific IOCs, maintain heightened monitoring of Java application logs and network traffic for exploitation attempts.

Source articles (6)

  • USN-8330-1: OpenJDK 8 vulnerabilities — Ubuntu · 2026-05-28
    Thomas Beckers discovered that the JAXP component of OpenJDK 8 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to gain unauthorized access…
  • USN-8331-1: OpenJDK 11 vulnerabilities — Ubuntu · 2026-05-28
    Thomas Beckers discovered that the JAXP component of OpenJDK 11 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to gain unauthorized access…
  • USN-8332-1: CRaC JDK 17 vulnerabilities — Ubuntu · 2026-05-28
    Thomas Beckers discovered that the JAXP component of CRaC JDK 17 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to gain unauthorized acces…
  • USN-8333-1: CRaC JDK 21 vulnerabilities — Ubuntu · 2026-05-28
    Thomas Beckers discovered that the JAXP component of CRaC JDK 21 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to gain unauthorized acces…
  • USN-8334-1: CRaC JDK 25 vulnerabilities — Ubuntu · 2026-05-28
    Thomas Beckers discovered that the JAXP component of CRaC JDK 25 did not correctly authenticate certain APIs. A remote unauthenticated attacker could possibly use this issue to gain unauthorized acces…
  • 2026 04 21 — openjdk.org · 2026-05-28
    The following vulnerabilities in OpenJDK source code were fixed in this release. The affected versions are 26, 25.0.2, 21.0.10, 17.0.18, 11.0.30, 8u482, and earlier. Please note that defense-in-depth…

Timeline

  • 2026-03-02 — CVE-2026-23865 published: The 2D component in JDKs improperly handles integer arithmetic, leading to potential information leaks.
  • 2026-04-21 — CVE-2026-22016 published: A vulnerability in JAXP components across multiple JDKs allows unauthorized access to sensitive information.
  • 2026-04-21 — CVE-2026-34282 published: Networking components in various JDKs fail to authenticate APIs, risking denial of service.
  • 2026-04-21 — CVE-2026-22021 published: JSSE components in multiple JDKs are vulnerable to denial of service due to authentication issues.
  • 2026-04-21 — CVE-2026-22018 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-04-21 — CVE-2026-34268 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-04-21 — CVE-2026-22013 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-04-21 — CVE-2026-22008 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
  • 2026-04-21 — CVE-2026-22007 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.

CVEs

  • CVE-2026-22007
  • CVE-2026-22008
  • CVE-2026-22013
  • CVE-2026-22016
  • CVE-2026-22018
  • CVE-2026-22021
  • CVE-2026-23865
  • CVE-2026-34268
  • CVE-2026-34282

Related entities

  • Data Breach (Attack Type)
  • DDoS (Attack Type)
  • Denial of Service (Attack Type)
  • Zero-day Exploit (Attack Type)
  • Cwe-190 - Integer Overflow Or Wraparound (Cwe)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • Cwe-400 - Uncontrolled Resource Consumption (Cwe)
  • CRaC JDK 17 (Platform)
  • CRaC JDK 21 (Platform)
  • OpenJDK 11 (Platform)
  • OpenJDK 8 (Platform)
  • Ubuntu (Company)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed