Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-hx4c-96gx-2fbq
Vulnerability ID VCID-hx4c-96gx-2fbq
Aliases CVE-2022-21426
Summary OpenJDK: Unbounded memory allocation when compiling crafted XPath expressions (JAXP, 8270504)
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-770 Allocation of Resources Without Limits or Throttling
System Score Found at
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-21426.json
epss 0.00062 https://api.first.org/data/v1/epss?cve=CVE-2022-21426
epss 0.00062 https://api.first.org/data/v1/epss?cve=CVE-2022-21426
epss 0.00062 https://api.first.org/data/v1/epss?cve=CVE-2022-21426
epss 0.00062 https://api.first.org/data/v1/epss?cve=CVE-2022-21426
epss 0.00062 https://api.first.org/data/v1/epss?cve=CVE-2022-21426
epss 0.00062 https://api.first.org/data/v1/epss?cve=CVE-2022-21426
epss 0.00062 https://api.first.org/data/v1/epss?cve=CVE-2022-21426
epss 0.00062 https://api.first.org/data/v1/epss?cve=CVE-2022-21426
epss 0.00062 https://api.first.org/data/v1/epss?cve=CVE-2022-21426
epss 0.00062 https://api.first.org/data/v1/epss?cve=CVE-2022-21426
epss 0.00062 https://api.first.org/data/v1/epss?cve=CVE-2022-21426
epss 0.00062 https://api.first.org/data/v1/epss?cve=CVE-2022-21426
epss 0.00062 https://api.first.org/data/v1/epss?cve=CVE-2022-21426
cvssv3.1 5.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 5.3 https://lists.debian.org/debian-lts-announce/2022/05/msg00017.html
ssvc Track https://lists.debian.org/debian-lts-announce/2022/05/msg00017.html
archlinux High https://security.archlinux.org/AVG-2686
archlinux High https://security.archlinux.org/AVG-2687
archlinux High https://security.archlinux.org/AVG-2688
archlinux High https://security.archlinux.org/AVG-2689
cvssv3.1 5.3 https://security.netapp.com/advisory/ntap-20220429-0006/
ssvc Track https://security.netapp.com/advisory/ntap-20220429-0006/
cvssv3.1 5.3 https://www.debian.org/security/2022/dsa-5128
ssvc Track https://www.debian.org/security/2022/dsa-5128
cvssv3.1 5.3 https://www.debian.org/security/2022/dsa-5131
ssvc Track https://www.debian.org/security/2022/dsa-5131
cvssv3.1 5.3 https://www.oracle.com/security-alerts/cpuapr2022.html
ssvc Track https://www.oracle.com/security-alerts/cpuapr2022.html
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-21426.json
https://api.first.org/data/v1/epss?cve=CVE-2022-21426
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21426
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21434
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21443
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21449
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21476
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21496
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
2075788 https://bugzilla.redhat.com/show_bug.cgi?id=2075788
AVG-2686 https://security.archlinux.org/AVG-2686
AVG-2687 https://security.archlinux.org/AVG-2687
AVG-2688 https://security.archlinux.org/AVG-2688
AVG-2689 https://security.archlinux.org/AVG-2689
dsa-5128 https://www.debian.org/security/2022/dsa-5128
dsa-5131 https://www.debian.org/security/2022/dsa-5131
msg00017.html https://lists.debian.org/debian-lts-announce/2022/05/msg00017.html
ntap-20220429-0006 https://security.netapp.com/advisory/ntap-20220429-0006/
RHSA-2022:1435 https://access.redhat.com/errata/RHSA-2022:1435
RHSA-2022:1436 https://access.redhat.com/errata/RHSA-2022:1436
RHSA-2022:1437 https://access.redhat.com/errata/RHSA-2022:1437
RHSA-2022:1438 https://access.redhat.com/errata/RHSA-2022:1438
RHSA-2022:1439 https://access.redhat.com/errata/RHSA-2022:1439
RHSA-2022:1440 https://access.redhat.com/errata/RHSA-2022:1440
RHSA-2022:1441 https://access.redhat.com/errata/RHSA-2022:1441
RHSA-2022:1442 https://access.redhat.com/errata/RHSA-2022:1442
RHSA-2022:1443 https://access.redhat.com/errata/RHSA-2022:1443
RHSA-2022:1444 https://access.redhat.com/errata/RHSA-2022:1444
RHSA-2022:1445 https://access.redhat.com/errata/RHSA-2022:1445
RHSA-2022:1487 https://access.redhat.com/errata/RHSA-2022:1487
RHSA-2022:1488 https://access.redhat.com/errata/RHSA-2022:1488
RHSA-2022:1489 https://access.redhat.com/errata/RHSA-2022:1489
RHSA-2022:1490 https://access.redhat.com/errata/RHSA-2022:1490
RHSA-2022:1491 https://access.redhat.com/errata/RHSA-2022:1491
RHSA-2022:1492 https://access.redhat.com/errata/RHSA-2022:1492
RHSA-2022:1728 https://access.redhat.com/errata/RHSA-2022:1728
RHSA-2022:1729 https://access.redhat.com/errata/RHSA-2022:1729
RHSA-2022:2137 https://access.redhat.com/errata/RHSA-2022:2137
RHSA-2023:3136 https://access.redhat.com/errata/RHSA-2023:3136
USN-5388-1 https://usn.ubuntu.com/5388-1/
USN-5388-2 https://usn.ubuntu.com/5388-2/
USN-5546-1 https://usn.ubuntu.com/5546-1/
USN-5546-2 https://usn.ubuntu.com/5546-2/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-21426.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://lists.debian.org/debian-lts-announce/2022/05/msg00017.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-24T17:35:39Z/ Found at https://lists.debian.org/debian-lts-announce/2022/05/msg00017.html
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://security.netapp.com/advisory/ntap-20220429-0006/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-24T17:35:39Z/ Found at https://security.netapp.com/advisory/ntap-20220429-0006/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://www.debian.org/security/2022/dsa-5128
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-24T17:35:39Z/ Found at https://www.debian.org/security/2022/dsa-5128
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://www.debian.org/security/2022/dsa-5131
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-24T17:35:39Z/ Found at https://www.debian.org/security/2022/dsa-5131
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://www.oracle.com/security-alerts/cpuapr2022.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-24T17:35:39Z/ Found at https://www.oracle.com/security-alerts/cpuapr2022.html
Exploit Prediction Scoring System (EPSS)
Percentile 0.19476
EPSS Score 0.00062
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T13:58:50.877419+00:00 RedHat Importer Import https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-21426.json 38.0.0