|
|
Log in / Subscribe / Register

AlmaLinux alert ALSA-2026:9693 (java-25-openjdk)



From:
              AlmaLinux Errata Notifications via Announce <announce@lists.almalinux.org>


To:
              announce@lists.almalinux.org


Subject:
              [Announce] [Security Advisory] ALSA-2026:9693: java-25-openjdk security update (Important)


Date:
              Fri, 24 Apr 2026 15:01:44 +0000


Message-ID:
              <0100019dc002d52a-947747be-1cfe-429d-b6e5-55f643bb8284-000000@email.amazonses.com>


Archive-link:
              Article


Hi,

You are receiving an AlmaLinux Security update email because you subscribed to receive errata
notifications from AlmaLinux.

AlmaLinux: 10
Type: Security
Severity: Important
Release date: 2026-04-24

Summary:

The OpenJDK 25 packages provide the OpenJDK 25 Java Runtime Environment and the OpenJDK 25 Java
Software Development Kit.  

Security Fix(es):  

  * JDK: Enhance crypto algorithm support (CVE-2026-22007)
  * JDK: Improved Arena allocations (CVE-2026-22008)
  * JDK: Improve Kerberos credentialing (CVE-2026-22013)
  * JDK: Enhance Path Factories Redux (CVE-2026-22016)
  * JDK: Enhance Zip file reading (CVE-2026-22018)
  * JDK: Enhance certificate chain validation (CVE-2026-22021)
  * JDK: Updating FreeType 2.14.1 (CVE-2026-23865)
  * JDK: Enhance TLS connection handling (CVE-2026-34282)
  * JDK: Enhance key generation (CVE-2026-34268)


This release also updates a number of third-party libraries included in the JDK. The libraries
themselves are affected by the following CVEs, but this is not a statement that the JDK itself is
affected:  

  * giflib: Denial of Service via buffer overflow in EGifGCBToExtension (CVE-2026-26740)
  * libpng: Information disclosure and denial of service via out-of-bounds read/write in Neon
palette expansion (CVE-2026-33636)
  * libpng: Arbitrary code execution due to use-after-free vulnerability (CVE-2026-33416)


Bug Fix(es):  

  * When copying files, OpenJDK 25 prefers to use the copy_file_range native function for
performance reasons, only falling back to sendfile when this fails. However, in previous OpenJDK 25
releases, a response of EOPNOTSUPP (operation not supported) did not cause the JDK to fall back to
sendfile. This is rectified in this release. (AlmaLinux-169939, AlmaLinux-169937)


For more details about the security issue(s), including the impact, a CVSS score, acknowledgments,
and other related information, refer to the CVE page(s) listed in the References section.


Full details, updated packages, references, and other related information:
https://errata.almalinux.org/10/ALSA-2026-9693.html

This message is automatically generated, please don’t reply. For further questions, please, contact
us via the AlmaLinux community chat: https://chat.almalinux.org/.
Want to change your notification settings? Sign in and manage mailing lists on
https://lists.almalinux.org.

Kind regards,
AlmaLinux Team
_______________________________________________
Announce mailing list -- announce@lists.almalinux.org
To unsubscribe send an email to announce-leave@lists.almalinux.org
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds