Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:rpm/redhat/java-11-openjdk@1:11.0.31.0.11-1?arch=el9
purl pkg:rpm/redhat/java-11-openjdk@1:11.0.31.0.11-1?arch=el9
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 3.8
Vulnerabilities affecting this package (15)
Vulnerability Summary Fixed by
VCID-1gha-995s-7qdg
Aliases:
CVE-2026-22016
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). There are no reported fixed by versions.
VCID-41qj-62x6-tqe5
Aliases:
CVE-2026-26740
giflib: giflib: Denial of Service via buffer overflow in EGifGCBToExtension There are no reported fixed by versions.
VCID-57sd-8y93-qqhu
Aliases:
CVE-2026-34282
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). There are no reported fixed by versions.
VCID-6fzj-746j-bkbc
Aliases:
CVE-2026-23865
Freetype: Freetype: Information disclosure or denial of service via specially crafted font files There are no reported fixed by versions.
VCID-6r1k-8y1c-q7fm
Aliases:
CVE-2026-22007
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 2.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). There are no reported fixed by versions.
VCID-7qam-er5a-gbas
Aliases:
CVE-2026-22801
libpng: libpng: Information disclosure and denial of service via integer truncation in simplified write API There are no reported fixed by versions.
VCID-dm7h-c7wt-1kbs
Aliases:
CVE-2026-33416
libpng: libpng: Arbitrary code execution due to use-after-free vulnerability There are no reported fixed by versions.
VCID-j7dk-wzkm-tfcr
Aliases:
CVE-2025-66293
libpng: LIBPNG out-of-bounds read in png_image_read_composite There are no reported fixed by versions.
VCID-jxgd-j4wr-tyb7
Aliases:
CVE-2026-34268
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 2.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N). There are no reported fixed by versions.
VCID-ptgq-884e-mkft
Aliases:
CVE-2026-33636
libpng: libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion There are no reported fixed by versions.
VCID-rm7f-ybuf-dyfq
Aliases:
CVE-2026-22695
libpng: libpng: Denial of service and information disclosure via heap buffer over-read in png_image_finish_read There are no reported fixed by versions.
VCID-sz6r-65q1-q3bh
Aliases:
CVE-2026-22021
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). There are no reported fixed by versions.
VCID-xte1-h9nn-4bbk
Aliases:
CVE-2026-22018
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). There are no reported fixed by versions.
VCID-xyhj-84d1-dqh3
Aliases:
CVE-2026-25646
libpng: LIBPNG has a heap buffer overflow in png_set_quantize There are no reported fixed by versions.
VCID-zsun-4q6p-8fek
Aliases:
CVE-2026-22013
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N). There are no reported fixed by versions.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-24T12:26:28.044671+00:00 RedHat Importer Affected by VCID-j7dk-wzkm-tfcr https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-66293.json 38.4.0
2026-04-24T12:26:06.989961+00:00 RedHat Importer Affected by VCID-rm7f-ybuf-dyfq https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22695.json 38.4.0
2026-04-24T12:26:06.248736+00:00 RedHat Importer Affected by VCID-7qam-er5a-gbas https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22801.json 38.4.0
2026-04-24T12:25:06.103835+00:00 RedHat Importer Affected by VCID-xyhj-84d1-dqh3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25646.json 38.4.0
2026-04-24T12:25:00.811935+00:00 RedHat Importer Affected by VCID-6fzj-746j-bkbc https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23865.json 38.4.0
2026-04-24T12:24:40.330338+00:00 RedHat Importer Affected by VCID-41qj-62x6-tqe5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26740.json 38.4.0
2026-04-24T12:24:34.164111+00:00 RedHat Importer Affected by VCID-dm7h-c7wt-1kbs https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33416.json 38.4.0
2026-04-24T12:24:33.816135+00:00 RedHat Importer Affected by VCID-ptgq-884e-mkft https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33636.json 38.4.0
2026-04-24T12:24:28.543827+00:00 RedHat Importer Affected by VCID-57sd-8y93-qqhu https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34282.json 38.4.0
2026-04-24T12:24:28.349359+00:00 RedHat Importer Affected by VCID-jxgd-j4wr-tyb7 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34268.json 38.4.0
2026-04-24T12:24:28.136220+00:00 RedHat Importer Affected by VCID-sz6r-65q1-q3bh https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22021.json 38.4.0
2026-04-24T12:24:27.920684+00:00 RedHat Importer Affected by VCID-xte1-h9nn-4bbk https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22018.json 38.4.0
2026-04-24T12:24:27.735848+00:00 RedHat Importer Affected by VCID-zsun-4q6p-8fek https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22013.json 38.4.0
2026-04-24T12:24:27.553852+00:00 RedHat Importer Affected by VCID-1gha-995s-7qdg https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22016.json 38.4.0
2026-04-24T12:24:27.358699+00:00 RedHat Importer Affected by VCID-6r1k-8y1c-q7fm https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22007.json 38.4.0