vulnerability

Ubuntu: (Multiple Advisories) (CVE-2026-21925): OpenJDK 25 vulnerabilities

Try Surface Command
Back to search
Severity
6
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:N)
Published
Feb 2, 2026
Added
Feb 4, 2026
Modified
Feb 5, 2026

Description

It was discovered that the RMI component of OpenJDK 25 would establish
RMI TCP endpoint connections to a remote host without setting an
endpoint identification algorithm. An unauthenticated remote attacker
could possibly use this issue to steal sensitive information.
(CVE-2026-21925)

Mingijung discovered that the AWT and JavaFX componenets of OpenJDK 25
could run programs if Desktop.browse() was supplied a filename as a
URI. An unauthenticated remote attacker could possibly use this issue
to execute arbitrary code. (CVE-2026-21932)

Zhihui Chen discovered that the Networking component of OpenJDK 25
was suceptible to a CRLF injection vulnerability via the HttpServer
class. An unauthenticated remote attacker could possibly use this
issue to modify files or leak sensitive information. (CVE-2026-21933)

Ireneusz Pastusiak discovered that the Security component of OpenJDK
25 failed to verify provided URIs point to a legitimate source when
AIA is enabled. An unauthenticated remote attacker could possibly
use this issue to redirect users to malicious hosts.
(CVE-2026-21945)

In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.

Please see the following for more information:
https://openjdk.org/groups/vulnerability/advisories/2026-01-20

Solutions

ubuntu-upgrade-openjdk-11-jdkubuntu-upgrade-openjdk-11-jdk-headlessubuntu-upgrade-openjdk-11-jreubuntu-upgrade-openjdk-11-jre-headlessubuntu-upgrade-openjdk-11-jre-zeroubuntu-upgrade-openjdk-17-crac-jdkubuntu-upgrade-openjdk-17-crac-jdk-headlessubuntu-upgrade-openjdk-17-crac-jreubuntu-upgrade-openjdk-17-crac-jre-headlessubuntu-upgrade-openjdk-17-crac-jre-zeroubuntu-upgrade-openjdk-17-jdkubuntu-upgrade-openjdk-17-jdk-headlessubuntu-upgrade-openjdk-17-jreubuntu-upgrade-openjdk-17-jre-headlessubuntu-upgrade-openjdk-17-jre-zeroubuntu-upgrade-openjdk-21-crac-demoubuntu-upgrade-openjdk-21-crac-docubuntu-upgrade-openjdk-21-crac-jdkubuntu-upgrade-openjdk-21-crac-jdk-headlessubuntu-upgrade-openjdk-21-crac-jreubuntu-upgrade-openjdk-21-crac-jre-headlessubuntu-upgrade-openjdk-21-crac-jre-zeroubuntu-upgrade-openjdk-21-crac-sourceubuntu-upgrade-openjdk-21-crac-testsupportubuntu-upgrade-openjdk-21-jdkubuntu-upgrade-openjdk-21-jdk-headlessubuntu-upgrade-openjdk-21-jreubuntu-upgrade-openjdk-21-jre-headlessubuntu-upgrade-openjdk-21-jre-zeroubuntu-upgrade-openjdk-25-crac-jdkubuntu-upgrade-openjdk-25-crac-jdk-headlessubuntu-upgrade-openjdk-25-crac-jreubuntu-upgrade-openjdk-25-crac-jre-headlessubuntu-upgrade-openjdk-25-crac-jre-zeroubuntu-upgrade-openjdk-25-jdkubuntu-upgrade-openjdk-25-jdk-headlessubuntu-upgrade-openjdk-25-jreubuntu-upgrade-openjdk-25-jre-headlessubuntu-upgrade-openjdk-25-jre-zeroubuntu-upgrade-openjdk-25-jvmci-jdkubuntu-upgrade-openjdk-8-jdkubuntu-upgrade-openjdk-8-jdk-headlessubuntu-upgrade-openjdk-8-jreubuntu-upgrade-openjdk-8-jre-headlessubuntu-upgrade-openjdk-8-jre-jamvmubuntu-upgrade-openjdk-8-jre-zero

References

Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today