Bug 2429927 (CVE-2026-21945)

Summary: CVE-2026-21945 openjdk: Enhance Certificate Checking (Oracle CPU 2026-01)
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ahughes, fferrari, fitzsim, khosford, neugens, pjindal, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2026-01-20   

Description OSIDB Bzimport 2026-01-15 12:10:54 UTC 
When AIA is enabled, a client can send its leaf cert without the full
chain of intermediate certificates requiring the AIA information to be
used. There is no current way to verify the provided URI points to a
legitimate source.
Comment 1 errata-xmlrpc 2026-01-21 13:48:04 UTC 
This issue has been addressed in the following products:

  OPENJDK ELS 11.0.30

Via RHSA-2026:0849 https://access.redhat.com/errata/RHSA-2026:0849
Comment 2 errata-xmlrpc 2026-01-26 14:15:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2026:0931 https://access.redhat.com/errata/RHSA-2026:0931