Expand or collapse sidebar Expand or collapse sidebar

GraalVM Vulnerability Advisories

Oracle takes security vulnerabilities seriously. If you have discovered a security vulnerability in GraalVM, please report it according to the Oracle vulnerability disclosure process.

This page provides information about security vulnerabilities that have been identified and addressed in GraalVM releases.

Security Updates

January 2026

The following vulnerabilities were fixed in this release.

CVE ID Product Component Protocol Remote Exploit
without Auth.?		 CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base
Score		 Attack
Vector		 Attack
Complex		 Privs
Required		 User
Interaction		 Scope Confidentiality Integrity Availability
CVE-2026-21945 Oracle GraalVM,
Oracle GraalVM Enterprise Edition		 Security Multiple Yes 7.5 Network Low None None Unchanged None None High
  • Oracle GraalVM 25.0.1
  • Oracle GraalVM:
    • For JDK 21.0.9 (23.1.9)
    • For JDK 17.0.17 (23.0.10)
  • Oracle GraalVM Enterprise Edition 21.3.16
 See Note 1
CVE-2026-21932 Oracle GraalVM,
Oracle GraalVM Enterprise Edition		 AWT,
JavaFX		 Multiple Yes 7.4 Network Low None Required Changed None High None
  • Oracle GraalVM 25.0.1
  • Oracle GraalVM:
    • For JDK 21.0.9 (23.1.9)
    • For JDK 17.0.17 (23.0.10)
  • Oracle GraalVM Enterprise Edition 21.3.16
 See Note 1
CVE-2026-21933 Oracle GraalVM,
Oracle GraalVM Enterprise Edition		 Networking Multiple Yes 6.1 Network Low None Required Changed Low Low None
  • Oracle GraalVM 25.0.1
  • Oracle GraalVM:
    • For JDK 21.0.9 (23.1.9)
    • For JDK 17.0.17 (23.0.10)
  • Oracle GraalVM Enterprise Edition 21.3.16
 See Note 2
CVE-2026-21933 Oracle GraalVM,
Oracle GraalVM Enterprise Edition		 RMI Multiple Yes 4.8 Network High None None Unchanged Low Low None
  • Oracle GraalVM 25.0.2
  • Oracle GraalVM:
    • For JDK 21.0.9 (23.1.9)
    • For JDK 17.0.17 (23.0.10)
  • Oracle GraalVM Enterprise Edition 21.3.16
 See Note 2

Notes:

  1. This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
  2. This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

October 2025

The following vulnerabilities were fixed in this release.

CVE ID Product Component Protocol Remote Exploit
without Auth.?		 CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) Supported Versions Affected
Base
Score		 Attack
Vector		 Attack
Complex		 Privs
Required		 User
Interaction		 Scope Confidentiality Integrity Availability
CVE-2025-53057 Oracle GraalVM,
Oracle GraalVM Enterprise Edition		 Security Multiple Yes 5.9 Network High None None Unchanged None High None
  • Oracle GraalVM 25.0
  • Oracle GraalVM:
    • For JDK 21.0.8 (23.1.8)
    • For JDK 17.0.16 (23.0.9)
  • Oracle GraalVM Enterprise Edition 21.3.15
CVE-2025-53066 Oracle GraalVM,
Oracle GraalVM Enterprise Edition		 JAXP Multiple Yes 4.8 Network High None None Unchanged Low None Low
  • Oracle GraalVM 25.0
  • Oracle GraalVM:
    • For JDK 21.0.8 (23.1.8)
    • For JDK 17.0.16 (23.0.9)
  • Oracle GraalVM Enterprise Edition 21.3.15
CVE-2025-61755 Oracle GraalVM Compiler Multiple Yes 3.7 Network High None None Unchanged Low None None
  • Oracle GraalVM 25.0
  • Oracle GraalVM:
    • For JDK 21.0.8 (23.1.8)
    • For JDK 17.0.16 (23.0.9)
CVE-2025-61748 Oracle GraalVM,
Oracle GraalVM Enterprise Edition		 Libraries Multiple Yes 3.7 Network High None None Unchanged None Low None
  • Oracle GraalVM 25.0
  • Oracle GraalVM:
    • For JDK 21.0.8 (23.1.8)
  • Oracle GraalVM Enterprise Edition 21.3.15

Staying Informed

To stay informed about GraalVM security updates:

  1. Subscribe to Oracle Security Alerts: Sign up for notifications at Oracle Security Alerts
  2. Monitor GraalVM Release Notes: Check the GraalVM Release Notes for security-related updates
  3. Follow GraalVM Community: Join the GraalVM community for announcements

Connect with us