java-21-openjdk-21.0.10.0.7-1.el9.ML.1

エラータID: AXSA:2026-098:01

Release date: 
Friday, January 30, 2026 - 09:54
Subject: 
java-21-openjdk-21.0.10.0.7-1.el9.ML.1
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

The OpenJDK 21 packages provide the OpenJDK 21 Java Runtime Environment and the
OpenJDK 21 Java Software Development Kit.

Security Fix(es):

JDK: Improve JMX connections (CVE-2026-21925)
JDK: Improve HttpServer Request handling (CVE-2026-21933)
JDK: Enhance Certificate Checking (CVE-2026-21945)
libpng: LIBPNG buffer overflow (CVE-2025-64720)
libpng: LIBPNG heap buffer overflow (CVE-2025-65018)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE(s):
CVE-2025-64720
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.
CVE-2025-65018
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.
CVE-2026-21925
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
CVE-2026-21933
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
CVE-2026-21945
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Solution: 

Update packages.

CVEs: 
CVE-2025-64720
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.
CVE-2025-65018
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.
CVE-2026-21925
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
CVE-2026-21933
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
CVE-2026-21945
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Additional Info: 

N/A

Download: 

SRPMS
  1. java-21-openjdk-21.0.10.0.7-1.el9.ML.1.src.rpm
    MD5: 05a1e026d5e74e87b35ebd25c7985515
    SHA-256: ef818d2c0efd4fd1bb7f2ae820a7c898c37db54120f0efa2f1eb0c5d0f0fb42c
    Size: 67.81 MB

Asianux Server 9 for x86_64
  1. java-21-openjdk-21.0.10.0.7-1.el9.ML.1.x86_64.rpm
    MD5: 07e1c1e1217c1921479ffa0c3cd503b7
    SHA-256: 1c0eb63b2b103447c73f0a6fc1718fd038ed5b40962f4c64d6c24f19b3d1f8e9
    Size: 398.73 kB
  2. java-21-openjdk-demo-21.0.10.0.7-1.el9.ML.1.x86_64.rpm
    MD5: 5d846a3eeef81e11c6ee44e4d9bb0f4a
    SHA-256: 7177120795fe7d2c0354aafd2481c28f3e24480e759ce792090a6ab1fb848946
    Size: 3.18 MB
  3. java-21-openjdk-demo-fastdebug-21.0.10.0.7-1.el9.ML.1.x86_64.rpm
    MD5: bbf7dc10afacfa2c91084f3378df5efb
    SHA-256: f5dddea85906f721d8c3592b6c30e1c163cc48fcfe99f39394be2e854dedcd0c
    Size: 3.18 MB
  4. java-21-openjdk-demo-slowdebug-21.0.10.0.7-1.el9.ML.1.x86_64.rpm
    MD5: 91b2be834ba18e396fa014d0db4d0097
    SHA-256: 6ddfb90c3917465d6401679eae60ab1061fba6e79e7480af4f4cceca02ea414f
    Size: 3.18 MB
  5. java-21-openjdk-devel-21.0.10.0.7-1.el9.ML.1.x86_64.rpm
    MD5: f7cdab4642555e43a2509dac74d8e015
    SHA-256: a1b1d0afc6c718c3217f7dcace885f365ecbe1597f3576b80b1f6bf83082ea58
    Size: 5.01 MB
  6. java-21-openjdk-devel-fastdebug-21.0.10.0.7-1.el9.ML.1.x86_64.rpm
    MD5: 523cbdc88520a756ccd0fb6e1b13e19b
    SHA-256: 30101e3c9388b01c46fa3fac0eae4cfce04f319e9120a4e346b5ddab6283b1cd
    Size: 5.01 MB
  7. java-21-openjdk-devel-slowdebug-21.0.10.0.7-1.el9.ML.1.x86_64.rpm
    MD5: 792825d0f4b0c5aa9875af6cc44a3a5c
    SHA-256: 0a5688e532e12bf577b0c8be45867a1b293f9afb5ea16f27b4d0c641fb5199d0
    Size: 5.01 MB
  8. java-21-openjdk-fastdebug-21.0.10.0.7-1.el9.ML.1.x86_64.rpm
    MD5: d2162ca5890b2358a169b7d4658de3c8
    SHA-256: 3376820f6e038eca031442eadcbdd457807620bd67d0f6ce6d2af2949c0364bb
    Size: 407.70 kB
  9. java-21-openjdk-headless-21.0.10.0.7-1.el9.ML.1.x86_64.rpm
    MD5: 4fbe937a89e1421c08f3972533e551e9
    SHA-256: 77f2add38314148211a385b2d166bfd61d99ffa499e194bd0d821f038fa47538
    Size: 47.39 MB
  10. java-21-openjdk-headless-fastdebug-21.0.10.0.7-1.el9.ML.1.x86_64.rpm
    MD5: 9dcf101d1b14fa66b7bce70d7ed54fce
    SHA-256: 99f06d3779972c5fff777269fb251c2c4afa53293e8ff3e17786835738d0cdbf
    Size: 51.93 MB
  11. java-21-openjdk-headless-slowdebug-21.0.10.0.7-1.el9.ML.1.x86_64.rpm
    MD5: 6334e7623d708a531d2e964bed6fe94f
    SHA-256: e4c8cba24df798b6a346327bf1330776aaf10fd397fe40bb188ccd8bac68c2e3
    Size: 49.91 MB
  12. java-21-openjdk-javadoc-21.0.10.0.7-1.el9.ML.1.x86_64.rpm
    MD5: f87b63d1325600952f05529a9b119c76
    SHA-256: 56094f0499b1899d392b83c6f89a5e69022bea2b326033dd36b13bffa5a7be64
    Size: 14.97 MB
  13. java-21-openjdk-javadoc-zip-21.0.10.0.7-1.el9.ML.1.x86_64.rpm
    MD5: 5c36433461fc24eae3eb6377444fdecc
    SHA-256: 743e7edf509e4647f39a48eaeb4f7adc0c6123abbfa81f192d845cc1bd3e7d74
    Size: 40.58 MB
  14. java-21-openjdk-jmods-21.0.10.0.7-1.el9.ML.1.x86_64.rpm
    MD5: 506574d697e4199b5b57bee49f238128
    SHA-256: 7933a6955f4a43700a1b0ddd6545deddacd6d2f893fc3a468c3a1bd2b648f16c
    Size: 302.87 MB
  15. java-21-openjdk-jmods-fastdebug-21.0.10.0.7-1.el9.ML.1.x86_64.rpm
    MD5: 22444f208dd5aff434d5b478e48cdf10
    SHA-256: d0147006aa9b056342b3dd65da024b4f7e5441dd49a52bd45f8d77083bf1cd81
    Size: 353.96 MB
  16. java-21-openjdk-jmods-slowdebug-21.0.10.0.7-1.el9.ML.1.x86_64.rpm
    MD5: edc270d6f080792db1e6f1cb77503a87
    SHA-256: 1bcd11ed63a10d44250d17fda6494e231c0fd3b0f8464e01407d65fbf5862a6b
    Size: 269.15 MB
  17. java-21-openjdk-slowdebug-21.0.10.0.7-1.el9.ML.1.x86_64.rpm
    MD5: fdd52c1f006a9441b665dbc20b2e761e
    SHA-256: da6e8a2d6dc69ecf4f749768f7f63ef79cc61dae89d2d993165594e21513177b
    Size: 408.46 kB
  18. java-21-openjdk-src-21.0.10.0.7-1.el9.ML.1.x86_64.rpm
    MD5: 97a01185c46c0188d5624975ccbe624a
    SHA-256: 28c45585984e3ba870e1ab8dd6c544c8345b324cd480a4ebba80f185cc89a8db
    Size: 46.76 MB
  19. java-21-openjdk-src-fastdebug-21.0.10.0.7-1.el9.ML.1.x86_64.rpm
    MD5: e86b1cd68b33713376348699e1c7fb4f
    SHA-256: 2e4a546104dc613797c5c0301cf9ae2abab53580fe37e8693fc089146620b33e
    Size: 46.76 MB
  20. java-21-openjdk-src-slowdebug-21.0.10.0.7-1.el9.ML.1.x86_64.rpm
    MD5: b60b6c25cabbe45c8b68957802c01760
    SHA-256: afe05a96ff235131fb0ab2a6edd4990dec53b9507c42749e49cd779dce0d06e2
    Size: 46.76 MB
  21. java-21-openjdk-static-libs-21.0.10.0.7-1.el9.ML.1.x86_64.rpm
    MD5: 4017a452dd25432e8619c261505b3413
    SHA-256: 4707bb3db1e2016c35aa8d97e85fc834e9bca7e00d2b74d29fcf4eab4e7632d6
    Size: 29.99 MB
  22. java-21-openjdk-static-libs-fastdebug-21.0.10.0.7-1.el9.ML.1.x86_64.rpm
    MD5: bc4d04ae8565df52d44e40850c199390
    SHA-256: e7339191284c8e223c4072b6ba6223f2dcb9563026576aa415ca6fbaebe7bd63
    Size: 30.15 MB
  23. java-21-openjdk-static-libs-slowdebug-21.0.10.0.7-1.el9.ML.1.x86_64.rpm
    MD5: 2038a9cfa76ff65393efb564f6ba7e10
    SHA-256: 2c9967368f7a62b72b5f8005fa51a6827672afc4d16346f0f82aedaa4cecdf06
    Size: 21.34 MB