USN-7996-1: CRaC JDK 25 vulnerabilities
Publication date
2 February 2026
Overview
Several security issues were fixed in CRaC JDK 25.
Releases
Packages
- openjdk-25-crac - Open Source Java implementation with Coordinated Restore at Checkpoints
Details
It was discovered that the RMI component of CRaC JDK 25 would establish
RMI TCP endpoint connections to a remote host without setting an
endpoint identification algorithm. An unauthenticated remote attacker
could possibly use this issue to steal sensitive information.
(CVE-2026-21925)
Mingijung discovered that the AWT and JavaFX componenets of CRaC JDK 25
could run programs if Desktop.browse() was supplied a filename as a
URI. An unauthenticated remote attacker could possibly use this issue
to execute arbitrary code. (CVE-2026-21932)
Zhihui Chen discovered that the Networking component of CRaC JDK 25
was suceptible to a CRLF injection vulnerability via the HttpServer
class. An unauthenticated remote attacker could possibly use this
issue to modify files or leak sensitive information. (
It was discovered that the RMI component of CRaC JDK 25 would establish
RMI TCP endpoint connections to a remote host without setting an
endpoint identification algorithm. An unauthenticated remote attacker
could possibly use this issue to steal sensitive information.
(CVE-2026-21925)
Mingijung discovered that the AWT and JavaFX componenets of CRaC JDK 25
could run programs if Desktop.browse() was supplied a filename as a
URI. An unauthenticated remote attacker could possibly use this issue
to execute arbitrary code. (CVE-2026-21932)
Zhihui Chen discovered that the Networking component of CRaC JDK 25
was suceptible to a CRLF injection vulnerability via the HttpServer
class. An unauthenticated remote attacker could possibly use this
issue to modify files or leak sensitive information. (CVE-2026-21933)
Ireneusz Pastusiak discovered that the Security component of CRaC JDK
25 failed to verify provided URIs point to a legitimate source when
AIA is enabled. An unauthenticated remote attacker could possibly
use this issue to redirect users to malicious hosts.
(CVE-2026-21945)
In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.
Please see the following for more information:
https://openjdk.org/groups/vulnerability/advisories/2026-01-20
Update instructions
This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart Java applications to make all the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
| Ubuntu Release | Package Version | ||
|---|---|---|---|
| 25.10 questing | openjdk-25-crac-jdk – 25.0.2+10-0ubuntu1~25.10 | ||
| openjdk-25-crac-jdk-headless – 25.0.2+10-0ubuntu1~25.10 | |||
| openjdk-25-crac-jre – 25.0.2+10-0ubuntu1~25.10 | |||
| openjdk-25-crac-jre-headless – 25.0.2+10-0ubuntu1~25.10 | |||
| openjdk-25-crac-jre-zero – 25.0.2+10-0ubuntu1~25.10 | |||
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.