Common Vulnerabilities and Exposures Fixes for April 2026

Table of Contents

April 2026 CVE Fix
In-Depth Non-CVE Security Fixes

Need help?

Schedule a consultation with an Azul performance expert.

The following Azul Prime releases contain the April 2026 CPU release of OpenJDK:

CPU	PSU
26.02.100.0	-
25.08.500.0	-

CPU

PSU

26.02.100.0

25.08.500.0

The following table lists the latest CVE fixes added in the Azul Prime CPU release. The CVE IDs in the table apply to JDK 8, JDK 11, JDK 17, JDK 21, and JDK 25 unless noted otherwise.

April 2026 CVE Fix

CVSS VERSION 3.1 RISK

CVE #	Component	Protocol	Remote Exploit w/o Auth.	Base Score	Attack Vector	Attack Complex	Privileges Req’d	User Interact	Scope	Confiden-tiality	Integrity	Availability	Versions Affected	Notes
CVE-2026-22016	JAXP	Multiple	Yes	7.5	Network	Low	None	None	Unchanged	High	None	None	25, 21, 17, 11, 8	Note 2
CVE-2026-34282	Networking	Multiple	Yes	7.5	Network	Low	None	None	Unchanged	None	None	High	25, 21, 17, 11	Note 2
CVE-2026-22013	JGSS	Multiple	Yes	5.3	Network	High	None	Required	Unchanged	High	None	None	25, 21, 17, 11, 8	Note 1
CVE-2026-22021	JSSE	HTTPS	Yes	5.3	Network	Low	None	None	Unchanged	None	None	Low	25, 21, 17, 11, 8	Note 2
CVE-2026-23865	2D (FreeType)	None	No	5.3	Local	Low	None	Required	Unchanged	Low	Low	Low	25, 21, 17, 11, 8	Note 2
CVE-2026-22008	Libraries	Multiple	Yes	3.7	Network	High	None	None	Unchanged	None	Low	None	25	Note 1
CVE-2026-22018	Libraries	Multiple	Yes	3.7	Network	High	None	None	Unchanged	None	None	Low	25, 21, 17, 11, 8	Note 2
CVE-2026-22007	Security	None	No	2.9	Local	High	None	None	Unchanged	Low	None	None	25, 21, 17, 11, 8	Note 2
CVE-2026-34268	Security	None	No	2.9	Local	High	None	None	Unchanged	Low	None	None	25, 21, 17, 11, 8	Note 2
CVE-2026-20652 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	JavaFX (WebKitGTK)	Multiple	Yes	7.5	Network	Low	None	None	Unchanged	None	None	High	None	Note 1, Note 3
CVE-2026-22003 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Hotspot	None	No	6.0	Local	High	Low	Required	Unchanged	None	High	High	None	Note 1

CVE #

Component

Protocol

Remote Exploit w/o Auth.

Base Score

Attack Vector

Attack Complex

Privileges Req’d

User Interact

Scope

Confiden-tiality

Integrity

Availability

Versions Affected

Notes

CVE-2026-22016

JAXP

Multiple

Yes

7.5

Network

Low

None

Unchanged

High

None

25, 21, 17, 11, 8

Note 2

CVE-2026-34282

Networking

Multiple

Yes

7.5

Network

Low

None

Unchanged

None

High

25, 21, 17, 11

Note 2

CVE-2026-22013

JGSS

Multiple

Yes

5.3

Network

High

None

Required

Unchanged

High

None

25, 21, 17, 11, 8

Note 1

CVE-2026-22021

JSSE

HTTPS

Yes

5.3

Network

Low

None

Unchanged

None

Low

25, 21, 17, 11, 8

Note 2

CVE-2026-23865

2D (FreeType)

None

5.3

Local

Low

None

Required

Unchanged

Low

25, 21, 17, 11, 8

Note 2

CVE-2026-22008

Libraries

Multiple

Yes

3.7

Network

High

None

Unchanged

None

Low

None

Note 1

CVE-2026-22018

Libraries

Multiple

Yes

3.7

Network

High

None

Unchanged

None

Low

25, 21, 17, 11, 8

Note 2

CVE-2026-22007

Security

None

2.9

Local

High

None

Unchanged

Low

None

25, 21, 17, 11, 8

Note 2

CVE-2026-34268

Security

None

2.9

Local

High

None

Unchanged

Low

None

25, 21, 17, 11, 8

Note 2

CVE-2026-20652 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

JavaFX (WebKitGTK)

Multiple

Yes

7.5

Network

Low

None

Unchanged

None

High

None

Note 1, Note 3

CVE-2026-22003 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Hotspot

None

6.0

Local

High

Low

Required

Unchanged

None

High

None

Note 1

Notes:

ID	Notes
1	This vulnerability applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
2	This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.
3	The patch for CVE-2026-20652 also addresses CVE-2025-43457, CVE-2026-20608, CVE-2026-20635, CVE-2026-20636, CVE-2026-20644, and CVE-2026-20676.

Base and Impact Metric:

Metrics	Values
Attack Vector	Network (N), Adjacent (A), Local (L), and Physical (P)
Attack Complexity	Low (L) and High (H)
Privileges Required	None (N), Low (L), and High (H)
User Interaction	None (N) and Required (R)
Scope	Unchanged (U) and Changed (C)
Confidentiality Impact	High (H), Low (L), and None (N)
Integrity Impact	High (H), Low (L), and None (N)
Availability Impact	High (H), Low (L), and None (N)

Metrics

Values

Attack Vector

Network (N), Adjacent (A), Local (L), and Physical (P)

Attack Complexity

Low (L) and High (H)

Privileges Required

None (N), Low (L), and High (H)

User Interaction

None (N) and Required (R)

Scope

Unchanged (U) and Changed (C)

Confidentiality Impact

High (H), Low (L), and None (N)

Integrity Impact

High (H), Low (L), and None (N)

Availability Impact

High (H), Low (L), and None (N)

In-Depth Non-CVE Security Fixes

The following table lists the in-depth non-CVE security fixes implemented specifically for Azul Prime.

April 2026 Non-CVE Security Fix

OpenJDK Patch ID	Azul Prime Version	Synopsis	CPU/PSUCPU fixes are included in both CPU and PSU bundles. PSU fixes are included in the PSU bundles only.
JDK-8348014	8,11,17,21,25	Enhance certificate processing	PSU
JDK-8350692	21	Enhance Reference handling	PSU
JDK-8364373	8,11,17,21,25	Transform Affine transformations	CPU,PSU
JDK-8364465	8,11,17,21,25	Enhance behavior of some intrinsics	CPU,PSU
JDK-8370995	8,11,17,21,25	Enhance ZipFile usage	PSU

OpenJDK Patch ID

Azul Prime Version

Synopsis

JDK-8348014

8,11,17,21,25

Enhance certificate processing

PSU

JDK-8350692

Enhance Reference handling

PSU

JDK-8364373

8,11,17,21,25