Critical Vulnerabilities detected on Oracle Java and Azul Zulu

Critical Vulnerabilities detected on Oracle Java and Azul Zulu

Multiple vulnerabilities have been identified in both Oracle Java and Azul Zulu distributions across various JDK and JRE versions. These flaws could allow attackers to execute arbitrary code, escalate privileges, or cause denial-of-service conditions. Systems running outdated or unpatched Java environments are particularly at risk. Oracle has released fixes for several of these issues as part of its April 2026 Critical Patch Update, while some vulnerabilities in Azul Zulu are currently documented without corresponding patches. Applying available updates and monitoring vendor advisories is essential to secure affected Java deployments. Below are the vulnerability details:

S.NoCVEsPatch DescriptionPatch IDBulletin IDReference
1CVE-2026-20652, CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018, CVE-2026-22021, CVE-2026-34268, CVE-2026-34282Java SE Development Kit (x64) 8.0.4910.10358379TU-160https://www.oracle.com/security-alerts/cpuapr2026.html
2CVE-2026-20652, CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018, CVE-2026-22021, CVE-2026-34268, CVE-2026-34282Java SE Development Kit 8.0.4910.10358381TU-160https://www.oracle.com/security-alerts/cpuapr2026.html
3CVE-2026-20652, CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018, CVE-2026-22021, CVE-2026-34268, CVE-2026-34282Java Runtime Environment 1.8 (x64) 8.0.4910.10358378TU-053https://www.oracle.com/security-alerts/cpuapr2026.html
4CVE-2026-20652, CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018, CVE-2026-22021, CVE-2026-34268, CVE-2026-34282Java Runtime Environment 1.8 8.0.4910.10358377TU-053https://www.oracle.com/security-alerts/cpuapr2026.html
5CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018, CVE-2026-22021, CVE-2026-23865, CVE-2026-34268, CVE-2026-34282NANANAhttps://docs.azul.com/core/cve
6CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018, CVE-2026-22021, CVE-2026-23865, CVE-2026-34268, CVE-2026-34282Java SE Development Kit 25 (x64) 25.0.3358344TU-2128https://www.oracle.com/security-alerts/cpuapr2026.html
7CVE-2026-22008JDK 25 (x64) 25.0.2 / 25.0.3355210, 358344TU-2128https://www.oracle.com/security-alerts/cpuapr2026.html
8CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018, CVE-2026-22021, CVE-2026-23865, CVE-2026-34268, CVE-2026-34282JDK 21 (x64) 21.0.11358343TU-1553https://www.oracle.com/security-alerts/cpuapr2026.html
9CVE-2026-20652, CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018, CVE-2026-22021, CVE-2026-23865, CVE-2026-34268NANANAhttps://docs.azul.com/core/cve
10CVE-2026-20652, CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018, CVE-2026-22021, CVE-2026-23865, CVE-2026-34268NANANAhttps://docs.azul.com/core/cve
11CVE-2026-20652, CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018, CVE-2026-22021, CVE-2026-23865, CVE-2026-34268, CVE-2026-34282NANANAhttps://docs.azul.com/core/cve
12CVE-2026-20652, CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018, CVE-2026-22021, CVE-2026-23865, CVE-2026-34268, CVE-2026-34282NANANAhttps://docs.azul.com/core/cve
13CVE-2026-20652, CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018, CVE-2026-22021, CVE-2026-23865, CVE-2026-34268, CVE-2026-34282NANANAhttps://docs.azul.com/core/cve
14CVE-2026-20652, CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018, CVE-2026-22021, CVE-2026-23865, CVE-2026-34268, CVE-2026-34282NANANAhttps://docs.azul.com/core/cve
15CVE-2026-20652, CVE-2026-22007, CVE-2026-22008, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018, CVE-2026-22021, CVE-2026-23865, CVE-2026-34268, CVE-2026-34282NANANAhttps://docs.azul.com/core/cve
16CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018, CVE-2026-22021, CVE-2026-23865, CVE-2026-34268, CVE-2026-34282JDK 11 (64-bit) 11.0.31358388TU-802https://www.oracle.com/security-alerts/cpuapr2026.html
17CVE-2026-22007, CVE-2026-22013, CVE-2026-22016, CVE-2026-22018, CVE-2026-22021, CVE-2026-23865, CVE-2026-34268, CVE-2026-34282JDK 17 17.0.19358380TU-1282https://www.oracle.com/security-alerts/cpuapr2026.html

Immediately deploy patches for vulnerabilities where fixes are available. To patch the vulnerabilities using Vulnerability Manager Plus, initiate a database sync between the Vulnerability Manager Plus server and the Central Patch repository and search for these Patch IDs or Bulletin ID. Select the patches and deploy them to your target machines. For vulnerabilities where patches have not yet been released, it is recommended to continuously monitor vendor advisories, apply available mitigations or workarounds, and restrict exposure by limiting access to affected applications until official fixes become available.

Cheers, 

ManageEngine Team

        New to M365 Manager Plus?
        New to M365 Manager Plus?
          New to RecoveryManager Plus?
          New to RecoveryManager Plus?
            New to Exchange Reporter Plus?
            New to Exchange Reporter Plus?
              New to SharePoint Manager Plus?
              New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                        Related Products