java-1.8.0-openjdk-1.8.0.482.b08-1.el9.ML.1

エラータID: AXSA:2026-130:04

Release date: 
Tuesday, February 3, 2026 - 17:10
Subject: 
java-1.8.0-openjdk-1.8.0.482.b08-1.el9.ML.1
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment
and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

JDK: Improve JMX connections (CVE-2026-21925)
JDK: Improve HttpServer Request handling (CVE-2026-21933)
JDK: Enhance Certificate Checking (CVE-2026-21945)
libpng: LIBPNG buffer overflow (CVE-2025-64720)
libpng: LIBPNG heap buffer overflow (CVE-2025-65018)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s)
listed in the References section.

CVE(s):
CVE-2025-64720
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.
CVE-2025-65018
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.
CVE-2026-21925
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
CVE-2026-21933
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
CVE-2026-21945
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

SRPMS(s):
java-1.8.0-openjdk-1.8.0.482.b08-1.el9.alma.1.src.rpm

Additional info:
https://access.redhat.com/errata/RHSA-2026:0932
https://www.cve.org/CVERecord?id=CVE-2025-64720
https://www.cve.org/CVERecord?id=CVE-2025-65018
https://www.cve.org/CVERecord?id=CVE-2026-21925
https://www.cve.org/CVERecord?id=CVE-2026-21933
https://www.cve.org/CVERecord?id=CVE-2026-21945

Solution: 

Update packages.

CVEs: 
CVE-2025-64720
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, an out-of-bounds read vulnerability exists in png_image_read_composite when processing palette images with PNG_FLAG_OPTIMIZE_ALPHA enabled. The palette compositing code in png_init_read_transformations incorrectly applies background compositing during premultiplication, violating the invariant component ≤ alpha × 257 required by the simplified PNG API. This issue has been patched in version 1.6.51.
CVE-2025-65018
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. From version 1.6.0 to before 1.6.51, there is a heap buffer overflow vulnerability in the libpng simplified API function png_image_finish_read when processing 16-bit interlaced PNGs with 8-bit output format. Attacker-crafted interlaced PNG files cause heap writes beyond allocated buffer bounds. This issue has been patched in version 1.6.51.
CVE-2026-21925
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
CVE-2026-21933
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
CVE-2026-21945
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Additional Info: 

N/A

Download: 

SRPMS
  1. java-1.8.0-openjdk-1.8.0.482.b08-1.el9.ML.1.src.rpm
    MD5: 0a3e762f4c9af4f0e094457bd9313d16
    SHA-256: e9a413e44121fdb027731da428cf61c3f37b13e73eedf0d0451d6cb8234ee9f8
    Size: 58.52 MB

Asianux Server 9 for x86_64
  1. java-1.8.0-openjdk-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
    MD5: ac0d2151c04c5d494417cb00a61bc783
    SHA-256: eda396a5954b60bf0a44b1eefde149b06313c5834e1244e2ce9edfe31581226e
    Size: 421.92 kB
  2. java-1.8.0-openjdk-demo-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
    MD5: 123d6b84666649279d4b9e5c6e611a3f
    SHA-256: 0117e907b1c038c224970359acbf23ea0a7ba1c6bf3ecd1620d75da34b5c6e26
    Size: 2.04 MB
  3. java-1.8.0-openjdk-demo-fastdebug-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
    MD5: e2aab509fd39e8073d80d2cc0618c892
    SHA-256: 917aa0733a8cc841907a9edd4b039058523f390c9b11947c04e8bbf32af49993
    Size: 2.06 MB
  4. java-1.8.0-openjdk-demo-slowdebug-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
    MD5: e10ecbaf926b7af5ecf41d36873d252d
    SHA-256: 7f2b41a97f7d34c257eb8aa711561b272b1a700867354c10173da7beb983c6e1
    Size: 2.06 MB
  5. java-1.8.0-openjdk-devel-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
    MD5: 7f71a649938bd25e52fbce7e5256edcc
    SHA-256: a83bddf410a08ba022bad111b0233dff1da21626f2c4d1a4777f9517315d8d19
    Size: 9.35 MB
  6. java-1.8.0-openjdk-devel-fastdebug-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
    MD5: b8cf87591e0935a10c7f8860cd3a288f
    SHA-256: 909318fb2ee20e2f2d536992e78b92f27e8132c6bdfcd444f90ced656d3cb56b
    Size: 9.36 MB
  7. java-1.8.0-openjdk-devel-slowdebug-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
    MD5: fad521dd4c6ca612a865b48645d4f0db
    SHA-256: e8b5d78a1a510da51dbe56620e6664a6123f0201394d41fd64ffc28a48a619d8
    Size: 9.36 MB
  8. java-1.8.0-openjdk-fastdebug-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
    MD5: 3cf8f5ee3c5e1f5c78828d0589417573
    SHA-256: 7a01ec95452a85c58aa23353cfe4b1cbe635a6de61a5d6acb40b1aefbaa75026
    Size: 433.54 kB
  9. java-1.8.0-openjdk-headless-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
    MD5: f06c2285efbbeae60285c2b283f030bb
    SHA-256: 8ed149ad3535171e04d30018a6d077bbb5a8f38e53600a93afaa873fb90a3b40
    Size: 33.19 MB
  10. java-1.8.0-openjdk-headless-fastdebug-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
    MD5: a7bc210531ff4a6155434c979499cd3d
    SHA-256: 2bea9effc483dfc0928e620cef5c84af3d71583ed36a8abf451438f2ae91b93a
    Size: 36.94 MB
  11. java-1.8.0-openjdk-headless-slowdebug-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
    MD5: 66873edeacbf42b322d8b70f98c4ea55
    SHA-256: d1b428fd7055aefab2974ac6289c7a907d1af438301c4fe227c1cba4c49f7694
    Size: 34.42 MB
  12. java-1.8.0-openjdk-javadoc-1.8.0.482.b08-1.el9.ML.1.noarch.rpm
    MD5: c0582dff8786b3cda795202335873a6f
    SHA-256: 9be40dd20f9c7b0cc9460f04fc439486dbf86e46634559013536e342f12ffcd0
    Size: 14.45 MB
  13. java-1.8.0-openjdk-javadoc-zip-1.8.0.482.b08-1.el9.ML.1.noarch.rpm
    MD5: 8094fd947a92f329247f958fc28f6d25
    SHA-256: 754c000cc72b6d64f78b062e69946273f4f24087d23821f57278d0d7e2258716
    Size: 40.72 MB
  14. java-1.8.0-openjdk-slowdebug-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
    MD5: 6f9077b9a737612dc4f49d23dcf9536b
    SHA-256: c2538b4486b5e73a1c813e0206f1a2d8dac80f4531fdafc642d49811743e6859
    Size: 406.73 kB
  15. java-1.8.0-openjdk-src-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
    MD5: 36bb5939bbe7d9c2f5ba1b732740c26d
    SHA-256: d116ea079796ec9add6db2270d3f845a5e652d306dfe98c622a5a80592ec8244
    Size: 44.66 MB
  16. java-1.8.0-openjdk-src-fastdebug-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
    MD5: 2cf0ba828bd02321c2661c3b9c80bdd5
    SHA-256: 28c3adf3fec1a6c3c3f0571f112dab0099ae064d7a7d4a7e284270e206b373b8
    Size: 44.66 MB
  17. java-1.8.0-openjdk-src-slowdebug-1.8.0.482.b08-1.el9.ML.1.x86_64.rpm
    MD5: 70fcb8a3d52293ee2789a7e72e346966
    SHA-256: 9ffc928338a9028c83f40a4c337e0d27df947bedf1e16e35c17d64f82c04e7db
    Size: 44.66 MB