Packages
- openjdk-21 - Open Source Java implementation
Details
It was discovered that the RMI component of OpenJDK 21 would establish
RMI TCP endpoint connections to a remote host without setting an
endpoint identification algorithm. An unauthenticated remote attacker
could possibly use this issue to steal sensitive information.
(CVE-2026-21925)
Mingijung discovered that the AWT and JavaFX componenets of OpenJDK 21
could run programs if Desktop.browse() was supplied a filename as a
URI. An unauthenticated remote attacker could possibly use this issue
to execute arbitrary code. (CVE-2026-21932)
Zhihui Chen discovered that the Networking component of OpenJDK 21
was suceptible to a CRLF injection vulnerability via the HttpServer
class. An unauthenticated remote attacker could possibly use this
issue to modify files or leak sensitive information. (
It was discovered that the RMI component of OpenJDK 21 would establish
RMI TCP endpoint connections to a remote host without setting an
endpoint identification algorithm. An unauthenticated remote attacker
could possibly use this issue to steal sensitive information.
(CVE-2026-21925)
Mingijung discovered that the AWT and JavaFX componenets of OpenJDK 21
could run programs if Desktop.browse() was supplied a filename as a
URI. An unauthenticated remote attacker could possibly use this issue
to execute arbitrary code. (CVE-2026-21932)
Zhihui Chen discovered that the Networking component of OpenJDK 21
was suceptible to a CRLF injection vulnerability via the HttpServer
class. An unauthenticated remote attacker could possibly use this
issue to modify files or leak sensitive information. (CVE-2026-21933)
Ireneusz Pastusiak discovered that the Security component of OpenJDK 21
failed to verify provided URIs point to a legitimate source when
AIA is enabled. An unauthenticated remote attacker could possibly
use this issue to redirect users to malicious hosts.
(CVE-2026-21945)
In addition to security fixes, the updated packages contain bug fixes,
new features, and possibly incompatible changes.
Please see the following for more information:
https://openjdk.org/groups/vulnerability/advisories/2026-01-20
Update instructions
This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart Java applications to make all the necessary changes.
Learn more about how to get the fixes.The problem can be corrected by updating your system to the following package versions:
| Ubuntu Release | Package Version | ||
|---|---|---|---|
| 25.10 questing | openjdk-21-jdk – 21.0.10+7-1~25.10 | ||
| openjdk-21-jdk-headless – 21.0.10+7-1~25.10 | |||
| openjdk-21-jre – 21.0.10+7-1~25.10 | |||
| openjdk-21-jre-headless – 21.0.10+7-1~25.10 | |||
| openjdk-21-jre-zero – 21.0.10+7-1~25.10 | |||
| 24.04 LTS noble | openjdk-21-jdk – 21.0.10+7-1~24.04 | ||
| openjdk-21-jdk-headless – 21.0.10+7-1~24.04 | |||
| openjdk-21-jre – 21.0.10+7-1~24.04 | |||
| openjdk-21-jre-headless – 21.0.10+7-1~24.04 | |||
| openjdk-21-jre-zero – 21.0.10+7-1~24.04 | |||
| 22.04 LTS jammy | openjdk-21-jdk – 21.0.10+7-1~22.04 | ||
| openjdk-21-jdk-headless – 21.0.10+7-1~22.04 | |||
| openjdk-21-jre – 21.0.10+7-1~22.04 | |||
| openjdk-21-jre-headless – 21.0.10+7-1~22.04 | |||
| openjdk-21-jre-zero – 21.0.10+7-1~22.04 | |||
| 20.04 LTS focal | openjdk-21-jdk – 21.0.10+7-1~20.04 | ||
| openjdk-21-jdk-headless – 21.0.10+7-1~20.04 | |||
| openjdk-21-jre – 21.0.10+7-1~20.04 | |||
| openjdk-21-jre-headless – 21.0.10+7-1~20.04 | |||
| openjdk-21-jre-zero – 21.0.10+7-1~20.04 | |||
Reduce your security exposure
Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.