java-25-openjdk-25.0.2.0.10-1.el9.ML.1

エラータID: AXSA:2026-154:04

Release date: 
Monday, February 9, 2026 - 17:55
Subject: 
java-25-openjdk-25.0.2.0.10-1.el9.ML.1
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

The OpenJDK 25 packages provide the OpenJDK 25 Java Runtime Environment and the OpenJDK 25 Java Software Development Kit.

Security Fix(es):

* JDK: Improve JMX connections (CVE-2026-21925)
* JDK: Improve HttpServer Request handling (CVE-2026-21933)
* JDK: Enhance Certificate Checking (CVE-2026-21945)
* libpng: LIBPNG buffer overflow (CVE-2025-64720)
* libpng: LIBPNG heap buffer overflow (CVE-2025-65018)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2025-64720
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.
CVE-2025-65018
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.
CVE-2026-21925
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
CVE-2026-21933
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
CVE-2026-21945
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Solution: 

Update packages.

CVEs: 
CVE-2025-64720
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.
CVE-2025-65018
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.
CVE-2026-21925
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
CVE-2026-21933
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
CVE-2026-21945
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Additional Info: 

N/A

Download: 

SRPMS
  1. java-25-openjdk-25.0.2.0.10-1.el9.ML.1.src.rpm
    MD5: dd22b696b8c8b6d96de1e2956442bd9b
    SHA-256: 771de605b72684258baa1ad6ac5b7e8ef1106d9e58d0cb9cbebb074b50906542
    Size: 73.80 MB

Asianux Server 9 for x86_64
  1. java-25-openjdk-25.0.2.0.10-1.el9.ML.1.x86_64.rpm
    MD5: 6e82364824bad0ec679ce84ddbe6d3f0
    SHA-256: 006e6f80b1d855e4d472a625672e578561aff65f6e817e64f222bd2e241901ff
    Size: 382.39 kB
  2. java-25-openjdk-crypto-adapter-25.0.2.0.10-1.el9.ML.1.x86_64.rpm
    MD5: 5969b12d68828765531c07db458c6699
    SHA-256: 913ae003b7468e3cb0965b603ba0b492236e960bb922eba9c172790730259d22
    Size: 44.63 kB
  3. java-25-openjdk-crypto-adapter-fastdebug-25.0.2.0.10-1.el9.ML.1.x86_64.rpm
    MD5: 72fdf30841b83b85d7380c1a4450e16c
    SHA-256: d1a64ba6a6388a5016e3589a0312e88e25be901cf233f2ca3956a6636da84979
    Size: 44.72 kB
  4. java-25-openjdk-crypto-adapter-slowdebug-25.0.2.0.10-1.el9.ML.1.x86_64.rpm
    MD5: cf3c2cf4a7856317b90110979ddbb601
    SHA-256: 4d46d05b701ed341ba3f9f6ede529a382dbcb1c33b109bc26b40a45c6eee4e02
    Size: 45.19 kB
  5. java-25-openjdk-demo-25.0.2.0.10-1.el9.ML.1.x86_64.rpm
    MD5: 66d5a0dfad3a192634e51c510dec3574
    SHA-256: 0925718ba23fb090c2364752a5257f4a81944466f40db125a583e63becafc984
    Size: 3.15 MB
  6. java-25-openjdk-demo-fastdebug-25.0.2.0.10-1.el9.ML.1.x86_64.rpm
    MD5: ae473d38a818e2be76c652b8d2b76353
    SHA-256: 3939ccc0b734e16a764b4f82e2bc3cc24dc32d9b5805ecbd6c616fdfed3bae3f
    Size: 3.15 MB
  7. java-25-openjdk-demo-slowdebug-25.0.2.0.10-1.el9.ML.1.x86_64.rpm
    MD5: 156e67059abc527f5da98979206505f0
    SHA-256: 8c3414886f9f910f9f3b9e775a3a811572ea538d94c58051d7d12035c2e0e3b1
    Size: 3.15 MB
  8. java-25-openjdk-devel-25.0.2.0.10-1.el9.ML.1.x86_64.rpm
    MD5: b45f0e242a1aecbc0973373fe42d56a6
    SHA-256: 9f8215ac1f4f05109759434b8a16c36d6ea2f2b1f4de20b9b03a00f029c38baa
    Size: 6.04 MB
  9. java-25-openjdk-devel-fastdebug-25.0.2.0.10-1.el9.ML.1.x86_64.rpm
    MD5: 2c31da460cfaa9eb06775eaef9612e72
    SHA-256: 69c8f9c05905c3bff8edaf592a3e6e4f1f5a1a0cc015ce21ab5053e2c7f08181
    Size: 6.04 MB
  10. java-25-openjdk-devel-slowdebug-25.0.2.0.10-1.el9.ML.1.x86_64.rpm
    MD5: be36deb7e1f773809d4392c5399cd8a3
    SHA-256: 7aef0f8fa364c8ce4dcda950aba6581b96fb23af6eac4d92d80129ddf377b166
    Size: 6.04 MB
  11. java-25-openjdk-fastdebug-25.0.2.0.10-1.el9.ML.1.x86_64.rpm
    MD5: 70fede237f1c90058f1b26cb9f75f45d
    SHA-256: c63884fba3c99fbc7123ba9519df99a9608d29882246735882763fa44cda10e5
    Size: 390.77 kB
  12. java-25-openjdk-headless-25.0.2.0.10-1.el9.ML.1.x86_64.rpm
    MD5: f58c825a17c736db862c4c4bf77b8023
    SHA-256: d10115ba4e5daa8710db9a717798a58ef9a7ad4770d91fa6a1c93fbc4559ac30
    Size: 59.05 MB
  13. java-25-openjdk-headless-fastdebug-25.0.2.0.10-1.el9.ML.1.x86_64.rpm
    MD5: c31027f52f2da30360f98903d79d6a43
    SHA-256: d6c7cb82f7883a6d80b2333d7d668a513c6287ce0a41eaff2521f16f5969c7fd
    Size: 64.20 MB
  14. java-25-openjdk-headless-slowdebug-25.0.2.0.10-1.el9.ML.1.x86_64.rpm
    MD5: 74067433c502b0bc9e8778ec5146ebe7
    SHA-256: 562fdd83589a532a2b599771d362fc70f9f0e28fdb4b4ee4f2c147a0370075cd
    Size: 62.02 MB
  15. java-25-openjdk-javadoc-25.0.2.0.10-1.el9.ML.1.x86_64.rpm
    MD5: 4a0514deedb7a92e5ac5c27cc97e095f
    SHA-256: 2d388e6ecac0f0299a80cfe7a9557ec41b6fb511616daceae9ad89ea3d52dde7
    Size: 19.85 MB
  16. java-25-openjdk-javadoc-zip-25.0.2.0.10-1.el9.ML.1.x86_64.rpm
    MD5: 365ba599069feec64d98d51158b31d3e
    SHA-256: 17dff37506e86618e525b2d9466fd8388fbedee75e0d9dafc606e83f7fa77e74
    Size: 48.00 MB
  17. java-25-openjdk-jmods-25.0.2.0.10-1.el9.ML.1.x86_64.rpm
    MD5: 0195561d0da1387078838aaa331e7463
    SHA-256: 6d87b39148bdd6334f77247a9927955a78647f78cf6d1d8add73c946b0cdf862
    Size: 344.62 MB
  18. java-25-openjdk-jmods-fastdebug-25.0.2.0.10-1.el9.ML.1.x86_64.rpm
    MD5: c3c201b41df23df6499663d1a977a20e
    SHA-256: 1cc9a2532a3d9d229a9359090b0714d6b61410658a9036e920517f8c005f05e7
    Size: 406.84 MB
  19. java-25-openjdk-jmods-slowdebug-25.0.2.0.10-1.el9.ML.1.x86_64.rpm
    MD5: 0219139f853039b61fbf36ac0caf97cb
    SHA-256: 6560ba5e2a2f13c14d8b06e27c16fc5244541ba5c879380c22100af71e2ab902
    Size: 308.23 MB
  20. java-25-openjdk-slowdebug-25.0.2.0.10-1.el9.ML.1.x86_64.rpm
    MD5: 336b58d372f69171d052cf1aebce164b
    SHA-256: 685441cd83a433a6b4eefb69798a4eadb1173a0346e44a9b569e90ab9b70d54c
    Size: 392.70 kB
  21. java-25-openjdk-src-25.0.2.0.10-1.el9.ML.1.x86_64.rpm
    MD5: 9b45db1f825ecd52b2fc888eacccaaf1
    SHA-256: 826ba5b506129c819b279e70ea3d729bfa368f108d64c01af34f4656f95aefd1
    Size: 46.17 MB
  22. java-25-openjdk-src-fastdebug-25.0.2.0.10-1.el9.ML.1.x86_64.rpm
    MD5: 07f6996e893f43a608f7710e76cb8ed0
    SHA-256: 1ccbeeca61a78e74cb9a62962e8a1fae007f5a03739f91361ba1a87e11050986
    Size: 46.18 MB
  23. java-25-openjdk-src-slowdebug-25.0.2.0.10-1.el9.ML.1.x86_64.rpm
    MD5: 6f46f82b676df07abcd24b4886947632
    SHA-256: a657fed782af8935becbf6706f239c6cfad0544387c61360fd4e15cc56092e4e
    Size: 46.18 MB
  24. java-25-openjdk-static-libs-25.0.2.0.10-1.el9.ML.1.x86_64.rpm
    MD5: ffe97bd11bdfea84b25782a333ef95db
    SHA-256: fe765dd7cb86c0783dd8f0e82acde12dcae7723a17057b43f7299a43fd60d431
    Size: 31.02 MB
  25. java-25-openjdk-static-libs-fastdebug-25.0.2.0.10-1.el9.ML.1.x86_64.rpm
    MD5: e02d21061081dbf7cf0a969f7697a870
    SHA-256: 7cf768b83b118cb6f41e6ab53bfbdb3b967914a06b1e738a905b5703f72f26ba
    Size: 31.25 MB
  26. java-25-openjdk-static-libs-slowdebug-25.0.2.0.10-1.el9.ML.1.x86_64.rpm
    MD5: fcc8586fa714aa044442f2155a4eeebe
    SHA-256: a01f54b3f14b775666dc5c9dfc39258a6a94489db4d0fb783543a44eff582529
    Size: 21.00 MB