Linux Distros Unpatched Vulnerability : CVE-2026-22003

🗓️ 29 Apr 2026 00:00:00Reported by TenableType
Linux hosts with unpatched Oracle Java SE and GraalVM (CVE-2026-22003) risk data loss or crash.
Reporter	Title	Published	Views	Family All 26
ATTACKERKB	CVE-2026-22003	21 Apr 202620:35	–	attackerkb
CloudLinux	java-1.8.0-openjdk: Fix of 7 CVEs	28 May 202614:28	–	cloudlinux
CNNVD	Oracle Java SE和Oracle GraalVM Enterprise Edition 安全漏洞	21 Apr 202600:00	–	cnnvd
CVE	CVE-2026-22003	21 Apr 202620:35	–	cve
Cvelist	CVE-2026-22003	21 Apr 202620:35	–	cvelist
Debian CVE	CVE-2026-22003	21 Apr 202620:35	–	debiancve
EUVD	EUVD-2026-24303	21 Apr 202621:31	–	euvd
F5 Networks	K000161050: Multiple Oracle Java vulnerabilities	30 Apr 202607:35	–	f5
Kaspersky	KLA90997 Multiple vulnerabilities in Oracle Java	21 Apr 202600:00	–	kaspersky
NVD	CVE-2026-22003	21 Apr 202621:16	–	nvd
Source	Link
ubuntu	www.ubuntu.com/security/CVE-2026-22003
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(310824);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/05/29");

  script_cve_id("CVE-2026-22003");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2026-22003");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE
    (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u481 and 8u481-b50; Oracle
    GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows low privileged attacker
    with logon to the infrastructure where Oracle Java SE, Oracle GraalVM Enterprise Edition executes to
    compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction
    from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized
    creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM
    Enterprise Edition accessible data and unauthorized ability to cause a hang or frequently repeatable crash
    (complete DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to
    Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java
    applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java
    sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that
    load and run only trusted code (e.g., code installed by an administrator). (CVE-2026-22003)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2026-22003");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:N/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:U/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:U/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-22003");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2026-22003");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/04/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/04/29");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:22.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:24.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:25.10");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:26.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openjdk-13");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openjdk-16");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openjdk-17");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openjdk-17-crac");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openjdk-18");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openjdk-21");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openjdk-21-crac");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openjdk-25");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openjdk-8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openjdk-9");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openjdk-lts");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
  script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
  script_require_ports("Host/OS/Ubuntu Linux-16.04", "Host/OS/Ubuntu Linux-18.04", "Host/OS/Ubuntu Linux-20.04", "Host/OS/Ubuntu Linux-22.04", "Host/OS/Ubuntu Linux-24.04", "Host/OS/Ubuntu Linux-25.10", "Host/OS/Ubuntu Linux-26.04");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Ubuntu Linux-16.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "16.04",
        "pkgs": [
          {"reference": "openjdk-8-dbg"},
          {"reference": "openjdk-8-demo"},
          {"reference": "openjdk-8-doc"},
          {"reference": "openjdk-8-jdk"},
          {"reference": "openjdk-8-jdk-headless"},
          {"reference": "openjdk-8-jre"},
          {"reference": "openjdk-8-jre-headless"},
          {"reference": "openjdk-8-jre-jamvm"},
          {"reference": "openjdk-8-jre-zero"},
          {"reference": "openjdk-8-source"},
          {"reference": "openjdk-9"}
        ]
      }
    ]
  },
  "Ubuntu Linux-18.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "18.04",
        "pkgs": [
          {"reference": "openjdk-11-dbg"},
          {"reference": "openjdk-11-demo"},
          {"reference": "openjdk-11-doc"},
          {"reference": "openjdk-11-jdk"},
          {"reference": "openjdk-11-jdk-headless"},
          {"reference": "openjdk-11-jre"},
          {"reference": "openjdk-11-jre-headless"},
          {"reference": "openjdk-11-jre-zero"},
          {"reference": "openjdk-11-source"},
          {"reference": "openjdk-17"},
          {"reference": "openjdk-8"}
        ]
      }
    ]
  },
  "Ubuntu Linux-20.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "20.04",
        "pkgs": [
          {"reference": "openjdk-11-dbg"},
          {"reference": "openjdk-11-demo"},
          {"reference": "openjdk-11-doc"},
          {"reference": "openjdk-11-jdk"},
          {"reference": "openjdk-11-jdk-headless"},
          {"reference": "openjdk-11-jre"},
          {"reference": "openjdk-11-jre-headless"},
          {"reference": "openjdk-11-jre-zero"},
          {"reference": "openjdk-11-source"},
          {"reference": "openjdk-13"},
          {"reference": "openjdk-16"},
          {"reference": "openjdk-17"},
          {"reference": "openjdk-21"},
          {"reference": "openjdk-8"}
        ]
      }
    ]
  },
  "Ubuntu Linux-22.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "22.04",
        "pkgs": [
          {"reference": "openjdk-11-dbg"},
          {"reference": "openjdk-11-demo"},
          {"reference": "openjdk-11-doc"},
          {"reference": "openjdk-11-jdk"},
          {"reference": "openjdk-11-jdk-headless"},
          {"reference": "openjdk-11-jre"},
          {"reference": "openjdk-11-jre-headless"},
          {"reference": "openjdk-11-jre-zero"},
          {"reference": "openjdk-11-source"},
          {"reference": "openjdk-17"},
          {"reference": "openjdk-18"},
          {"reference": "openjdk-21"},
          {"reference": "openjdk-25"},
          {"reference": "openjdk-8"}
        ]
      }
    ]
  },
  "Ubuntu Linux-24.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "24.04",
        "pkgs": [
          {"reference": "openjdk-17-dbg"},
          {"reference": "openjdk-17-demo"},
          {"reference": "openjdk-17-doc"},
          {"reference": "openjdk-17-jdk"},
          {"reference": "openjdk-17-jdk-headless"},
          {"reference": "openjdk-17-jre"},
          {"reference": "openjdk-17-jre-headless"},
          {"reference": "openjdk-17-jre-zero"},
          {"reference": "openjdk-17-source"},
          {"reference": "openjdk-21-dbg"},
          {"reference": "openjdk-21-demo"},
          {"reference": "openjdk-21-doc"},
          {"reference": "openjdk-21-jdk"},
          {"reference": "openjdk-21-jdk-headless"},
          {"reference": "openjdk-21-jre"},
          {"reference": "openjdk-21-jre-headless"},
          {"reference": "openjdk-21-jre-zero"},
          {"reference": "openjdk-21-source"},
          {"reference": "openjdk-21-testsupport"},
          {"reference": "openjdk-25"},
          {"reference": "openjdk-8"},
          {"reference": "openjdk-lts"}
        ]
      }
    ]
  },
  "Ubuntu Linux-25.10": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "25.10",
        "pkgs": [
          {"reference": "openjdk-17"},
          {"reference": "openjdk-17-crac"},
          {"reference": "openjdk-21-crac"},
          {"reference": "openjdk-21-dbg"},
          {"reference": "openjdk-21-demo"},
          {"reference": "openjdk-21-doc"},
          {"reference": "openjdk-21-jdk"},
          {"reference": "openjdk-21-jdk-headless"},
          {"reference": "openjdk-21-jre"},
          {"reference": "openjdk-21-jre-headless"},
          {"reference": "openjdk-21-jre-zero"},
          {"reference": "openjdk-21-source"},
          {"reference": "openjdk-21-testsupport"},
          {"reference": "openjdk-25"},
          {"reference": "openjdk-8"},
          {"reference": "openjdk-lts"}
        ]
      }
    ]
  },
  "Ubuntu Linux-26.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "26.04",
        "pkgs": [
          {"reference": "openjdk-17"},
          {"reference": "openjdk-17-crac"},
          {"reference": "openjdk-21"},
          {"reference": "openjdk-21-crac"},
          {"reference": "openjdk-25-dbg"},
          {"reference": "openjdk-25-demo"},
          {"reference": "openjdk-25-doc"},
          {"reference": "openjdk-25-jdk"},
          {"reference": "openjdk-25-jdk-headless"},
          {"reference": "openjdk-25-jre"},
          {"reference": "openjdk-25-jre-headless"},
          {"reference": "openjdk-25-jre-zero"},
          {"reference": "openjdk-25-jvmci-jdk"},
          {"reference": "openjdk-25-source"},
          {"reference": "openjdk-25-testsupport"},
          {"reference": "openjdk-8"},
          {"reference": "openjdk-lts"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_NOTE,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}
29 May 2026 00:00Current
7.3High risk
Vulners AI Score7.3
CVSS 3.16
EPSS0.00019
SSVC