Bug 2460041 (CVE-2026-22018) - CVE-2026-22018 openjdk: OpenJDK: Enhance Zip file reading (Oracle CPU 2026-04)
Summary: CVE-2026-22018 openjdk: OpenJDK: Enhance Zip file reading (Oracle CPU 2026-04)
Keywords:
Status: NEW
Alias: CVE-2026-22018
Deadline: 2026-04-21
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-04-21 10:06 UTC by OSIDB Bzimport
Modified: 2026-04-23 09:11 UTC (History)
7 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-04-21 10:06:44 UTC 
Missing validation of ZIP64 content in a ZIP file can lead to out-of-bounds reads.
Comment 1 Michal Findra 2026-04-23 09:01:30 UTC 
This CVE was fixed in Oracle Java SE 8u491, 11.0.31, 17.0.19, 21.0.11, 25.0.3. 

https://www.oracle.com/java/technologies/javase/8u491-relnotes.html#R180_491
https://www.oracle.com/java/technologies/javase/11-0-31-relnotes.html#R11_0_31
https://www.oracle.com/java/technologies/javase/17-0-19-relnotes.html#R17_0_19
https://www.oracle.com/java/technologies/javase/21-0-11-relnotes.html
https://www.oracle.com/java/technologies/javase/25-0-3-relnotes.html
Comment 2 Michal Findra 2026-04-23 09:11:25 UTC 
OpenJDK-8 upstream commit:
https://github.com/openjdk/jdk8u/commit/cbb90f85ecf9c9eedd9029b56f40e61555eba11a

OpenJDK-11 upstream commit:
https://github.com/openjdk/jdk11u/commit/7e27a5dfb71b7fbdcc8e29af5ef30b33acbf617d

OpenJDK-17 upstream commit:
https://github.com/openjdk/jdk17u/commit/19151db40c0676335ec6800af1dbb41f836be437

OpenJDK-21 upstream commit:
https://github.com/openjdk/jdk21u/commit/1836962397f3e491b4087cfd04f4b50334d5864c

OpenJDK-25 upstream commit:
https://github.com/openjdk/jdk25u/commit/9bd24eb61831604c6c7437b5afdf0d06e08a73f3
Note You need to log in before you can comment on or make changes to this bug.