It was discovered that the computeNextExponential() method in the Libraries component of OpenJDK failed to comply with the documentation, returning sometimes negative numbers.
Public now via Oracle CPU July 2022: https://www.oracle.com/security-alerts/cpujul2022.html#AppendixJAVA Fixed in Oracle Java SE 17.0.4. Release notes: https://www.oracle.com/java/technologies/javase/17-0-4-relnotes.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:5726 https://access.redhat.com/errata/RHSA-2022:5726
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:5736 https://access.redhat.com/errata/RHSA-2022:5736
This issue has been addressed in the following products: Red Hat Build of OpenJDK 17.0.4 Via RHSA-2022:5757 https://access.redhat.com/errata/RHSA-2022:5757
This issue has been addressed in the following products: Red Hat Build of OpenJDK 17.0.4 Via RHSA-2022:5758 https://access.redhat.com/errata/RHSA-2022:5758
OpenJDK-17 upstream commit: https://github.com/openjdk/jdk17u/commit/ff1ef50a42a7cadf262d8bc22a8775ffe19f5f04
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-21549