Not a user yet?
Log in Register for free Suggest a product
Update

USN-7995-1: OpenJDK 25 vulnerabilities

Ubuntu DesktopUbuntu Desktop
Canonical

USN-7995-1: OpenJDK 25 vulnerabilities
Publication date: 2 February 2026
Overview: Several security issues were fixed in OpenJDK 25.

Packages
openjdk-25 - Open Source Java implementation

Details
It was discovered that the RMI component of OpenJDK 25 would establish
RMI TCP endpoint connections to a remote host without setting an
endpoint identification algorithm. An unauthenticated remote attacker
could possibly use this issue to steal sensitive information.
(CVE-2026-21925)

Mingijung discovered that the AWT and JavaFX componenets of OpenJDK 25
could run programs if Desktop.browse() was supplied a filename as a
URI. An unauthenticated remote attacker could possibly use this issue
to execute arbitrary code. (CVE-2026-21932)

Zhihui Chen discovered that the Networking component of OpenJDK 25
was suceptible to a CRLF injection vulnerability via the HttpServer
class. An unauthenticated remote attacker could possibly use this
issue to modify files or leak sensitive information. (CVE-2026-21933)

Ireneusz Pastusiak discovered that the Security component of OpenJDK
25 failed to verify provided URIs point to a legitimate source when
AIA is enabled. An unauthenticated remote attacker could possibly
use this issue to redirect users to malicious hosts.
(CVE-2026-21945)

In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.

Please see the following for more information:
https://openjdk.org/groups/vulnerability/advisories/2026-01-20

Update instructions
This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart Java applications to make all the necessary changes.

25.10 questing

  • openjdk-25-jdk – 25.0.2+10-1~25.10
  • openjdk-25-jdk-headless – 25.0.2+10-1~25.10
  • openjdk-25-jre – 25.0.2+10-1~25.10
  • openjdk-25-jre-headless – 25.0.2+10-1~25.10
  • openjdk-25-jre-zero – 25.0.2+10-1~25.10
  • openjdk-25-jvmci-jdk – 25.0.2+10-1~25.10

24.04 LTS noble

  • openjdk-25-jdk – 25.0.2+10-1~24.04
  • openjdk-25-jdk-headless – 25.0.2+10-1~24.04
  • openjdk-25-jre – 25.0.2+10-1~24.04
  • openjdk-25-jre-headless – 25.0.2+10-1~24.04
  • openjdk-25-jre-zero – 25.0.2+10-1~24.04
  • openjdk-25-jvmci-jdk – 25.0.2+10-1~24.04

22.04 LTS jammy

  • openjdk-25-jdk – 25.0.2+10-1~22.04
  • openjdk-25-jdk-headless – 25.0.2+10-1~22.04
  • openjdk-25-jre – 25.0.2+10-1~22.04
  • openjdk-25-jre-headless – 25.0.2+10-1~22.04
  • openjdk-25-jre-zero – 25.0.2+10-1~22.04
  • openjdk-25-jvmci-jdk – 25.0.2+10-1~22.04
More updatesTo the product
The manufacturer Canonical has not yet set up its devicebase profile. Content such as updates, compatibilities and support may only be maintained with a delay.
Receive Important Update Messages Stay tuned for upcoming Canonical updates

More from the Operating Systems section

Was the content helpful to you?

Advertisement Advertise here?
Udemy IT certification ad