Bug 2429927 (CVE-2026-21945) - CVE-2026-21945 openjdk: Enhance Certificate Checking (Oracle CPU 2026-01)
Summary: CVE-2026-21945 openjdk: Enhance Certificate Checking (Oracle CPU 2026-01)
Keywords:
Status: NEW
Alias: CVE-2026-21945
Deadline: 2026-01-20
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-01-15 12:10 UTC by OSIDB Bzimport
Modified: 2026-03-17 19:26 UTC (History)
7 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2026:0849 0 None None None 2026-01-21 13:48:06 UTC
Red Hat Product Errata RHSA-2026:0931 0 None None None 2026-01-26 14:15:28 UTC
Red Hat Product Errata RHSA-2026:4832 0 None None None 2026-03-17 19:26:07 UTC

Description OSIDB Bzimport 2026-01-15 12:10:54 UTC 
When AIA is enabled, a client can send its leaf cert without the full
chain of intermediate certificates requiring the AIA information to be
used. There is no current way to verify the provided URI points to a
legitimate source.
Comment 1 errata-xmlrpc 2026-01-21 13:48:04 UTC 
This issue has been addressed in the following products:

  OPENJDK ELS 11.0.30

Via RHSA-2026:0849 https://access.redhat.com/errata/RHSA-2026:0849
Comment 2 errata-xmlrpc 2026-01-26 14:15:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2026:0931 https://access.redhat.com/errata/RHSA-2026:0931
Comment 3 Michal Findra 2026-02-10 14:14:54 UTC 
OpenJDK-8 upstream commit:
https://github.com/openjdk/jdk8u/commit/cea3cd4c1d7aa70e998d45ca2e419793a550321e

OpenJDK-11 upstream commit:
https://github.com/openjdk/jdk11u/commit/5d80a0e0571e163077356904d7810fcc8d9b26f0

OpenJDK-17 upstream commit:
https://github.com/openjdk/jdk17u/commit/ae8ed4b8bbb774cc830d2d3647a32e61fb3a9899

OpenJDK-21 upstream commit:
https://github.com/openjdk/jdk21u/commit/400d4c96da198f5372178b9f4c5d0e5671ba8781

OpenJDK-25 upstream commit:
https://github.com/openjdk/jdk25u/commit/405a5699ebd097464ed3fc9345414b0774a2edc9
Comment 4 Michal Findra 2026-02-10 14:19:49 UTC 
This CVE was fixed in Oracle Java SE 8u481, 11.0.30, 17.0.18, 21.0.10, 25.0.2. 

https://www.oracle.com/java/technologies/javase/8u481-relnotes.html#R180_481
https://www.oracle.com/java/technologies/javase/11-0-30-relnotes.html#R11_0_30
https://www.oracle.com/java/technologies/javase/17-0-18-relnotes.html#R17_0_18
https://www.oracle.com/java/technologies/javase/21-0-10-relnotes.html
https://www.oracle.com/java/technologies/javase/25-0-2-relnotes.html
Comment 5 errata-xmlrpc 2026-03-17 19:26:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:4832 https://access.redhat.com/errata/RHSA-2026:4832
Note You need to log in before you can comment on or make changes to this bug.