Red Hat alert RHSA-2026:9254-01 (java-11-openjdk with Extended Lifecycle Support) [LWN.net]

An update for java-11-openjdk with Extended Lifecycle Support is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, and Red Hat Enterprise Linux 9. The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. This release contains OpenJDK 11 with Extended Lifecycle Support for Red Hat Enterprise Linux versions 7, 8, and 9. Security Fix(es): * JDK: LIBPNG: out-of-bounds read in png_image_read_composite (CVE-2025-66293) * JDK: LIBPNG: Information disclosure and denial of service via integer truncation in simplified write API (CVE-2026-22801) * JDK: LIBPNG: has a heap buffer overflow in png_set_quantize (CVE-2026-25646) * JDK: GIFLIB: Denial of Service via buffer overflow in EGifGCBToExtension (CVE-2026-26740) * JDK: LIBPNG: Arbitrary code execution due to use-after-free vulnerability (CVE-2026-33416) * JDK: LIBPNG: Information disclosure and denial of service via out-of-bounds read/write in Neon palette expansion (CVE-2026-33636) * JDK: Denial of service and information disclosure via heap buffer over-read in png_image_finish_read (CVE-2026-22695) * JDK: (CVE-2026-22007) * JDK: (CVE-2026-22016) * JDK: (CVE-2026-22013) * JDK: (CVE-2026-22018) * JDK: (CVE-2026-22021) * JDK: (CVE-2026-34268) * JDK: (CVE-2026-34282) * JDK: (CVE-2026-23865) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Original: https://access.redhat.com/security/data/csaf/v2/advisories/2026/rhsa-2026_9254.json