|
|
Log in / Subscribe / Register

Red Hat alert RHSA-2026:9693-01 (java-25-openjdk)

An update for java-25-openjdk is now available for Red Hat Enterprise Linux 9
and Red Hat Enterprise Linux 10.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

The OpenJDK 25 packages provide the OpenJDK 25 Java Runtime Environment and
the OpenJDK 25 Java Software Development Kit.

Security Fix(es):

* JDK: Enhance crypto algorithm support (CVE-2026-22007)

* JDK: Improved Arena allocations (CVE-2026-22008)

* JDK: Improve Kerberos credentialing (CVE-2026-22013)

* JDK: Enhance Path Factories Redux (CVE-2026-22016)

* JDK: Enhance Zip file reading (CVE-2026-22018)

* JDK: Enhance certificate chain validation (CVE-2026-22021)

* JDK: Updating FreeType 2.14.1 (CVE-2026-23865)

* JDK: Enhance TLS connection handling (CVE-2026-34282)

* JDK: Enhance key generation (CVE-2026-34268)

This release also updates a number of third-party libraries included in the
JDK.  The libraries themselves are affected by the following CVEs, but this
is not a statement that the JDK itself is affected:

* giflib: Denial of Service via buffer overflow in EGifGCBToExtension
(CVE-2026-26740)

* libpng: Information disclosure and denial of service via out-of-bounds
read/write in Neon palette expansion (CVE-2026-33636)

* libpng: Arbitrary code execution due to use-after-free vulnerability
(CVE-2026-33416)

Bug Fix(es):

* When copying files, OpenJDK 25 prefers to use the copy_file_range native
function for performance reasons, only falling back to sendfile when this
fails.  However, in previous OpenJDK 25 releases, a response of EOPNOTSUPP
(operation not supported) did not cause the JDK to fall back to sendfile.
This is rectified in this release. (RHEL-169939, RHEL-169937)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0
International License (https://creativecommons.org/licenses/by/4.0/). If you
distribute this content, or a modified version of it, you must provide
attribution to Red Hat Inc. and provide a link to the original.


Original: https://access.redhat.com/security/data/csaf/v2/advisories/2026/rhsa-2026_9693.json
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds