PatchSiren cyber security CVE debrief
CVE-2026-21945 Cert Portal CVE debrief
CVE-2026-21945 is a network-reachable denial-of-service vulnerability affecting Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. The advisory says an unauthenticated attacker can trigger a hang or repeatable crash, resulting in availability loss. Oracle’s note also narrows the practical exposure: it is aimed at Java client deployments that load and execute untrusted code under the Java sandbox, such as Java Web Start applications or applets, and does not apply to typical trusted-code server deployments.
- Vendor
- Cert Portal
- Product
- Siemens SIMATIC CN 4100 vers:intdot/<5.0
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-14
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-14
Who should care
Teams responsible for Oracle Java SE, Oracle GraalVM for JDK, or Oracle GraalVM Enterprise Edition should care most, especially where affected runtimes are installed on client endpoints or legacy desktop environments that still use Java Web Start, applets, or other sandboxed code paths. Patch management, endpoint security, and vulnerability management teams should also prioritize it for internet-connected or user-facing fleets.
Technical summary
The advisory describes an unauthenticated, network-accessible availability issue with CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5). Successful exploitation can cause a hang or repeatedly reproducible crash, but the provided source text does not indicate confidentiality or integrity impact. The advisory explicitly limits the affected usage model to Java deployments that rely on the sandbox for untrusted code; it states that deployments running only trusted code in server-style environments are not in scope.
Defensive priority
High for affected client or desktop Java deployments; lower for trusted-code server deployments that match the advisory’s exclusion language.
Recommended defensive actions
- Inventory Java SE and GraalVM versions across endpoints and client systems, with special attention to the versions named in the advisory.
- Upgrade to the vendor-fixed release described in the source remediation guidance: V5.0 or later.
- Prioritize systems that run Java Web Start, applets, or other sandboxed/untrusted-code workflows.
- Verify whether any business-critical applications still depend on affected legacy Java client behaviors and plan remediation windows accordingly.
- Monitor affected endpoints for repeated hangs or crashes and confirm that patching removes the vulnerable runtime version.
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSA-26-134-10, published 2026-05-12 and republished 2026-05-14. The advisory body describes Oracle Java SE / Oracle GraalVM for JDK / Oracle GraalVM Enterprise Edition, with a DoS impact and a remediation of V5.0 or later. The provided wrapper metadata contains a vendor/product mismatch ('Siemens SIMATIC CN 4100 vers:intdot/<5.0') that does not align with the advisory description, so vendor attribution in the wrapper should be treated as low confidence.
Official resources
-
CVE-2026-21945 CVE record
CVE.org
-
CVE-2026-21945 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2026-05-12 and republished it on 2026-05-14 from Siemens ProductCERT SSA-032379. For timing context, use 2026-05-12 as the CVE publication date.