{"id":"USN-7673-1","summary":"openjdk-21-crac vulnerabilities","details":"It was discovered that the 2D component of CRaC JDK 21 did not properly\nmanage memory under certain circumstances. An attacker could possibly\nuse this issue to cause a denial of service or execute arbitrary code.\n(CVE-2025-30749, CVE-2025-50106)\n\nVMashroor Hasan Bhuiyan discovered that the JSSE component of CRaC JDK 21\ndid not properly manage TLS 1.3 handshakes under certain circumstances.\nAn attacker could possibly use this issue to obtain sensitive\ninformation. (CVE-2025-30754)\n\nMartin van Wingerden and Violeta Georgieva of Broadcom discovered\nthat the Networking component of CRaC JDK 21 did not properly\nmanage network connections under certain circumstances. An attacker\ncould possibly use this issue to obtain sensitive information.\n(CVE-2025-50059)\n\nIn addition to security fixes, the updated packages contain bug fixes, new\nfeatures, and possibly incompatible changes.\n\nPlease see the following for more information:\nhttps://openjdk.org/groups/vulnerability/advisories/2025-07-15","modified":"2026-02-04T02:56:57.259580Z","published":"2025-07-28T02:14:27.926165Z","related":["UBUNTU-CVE-2025-30749","UBUNTU-CVE-2025-30754","UBUNTU-CVE-2025-50059","UBUNTU-CVE-2025-50106"],"upstream":["CVE-2025-30749","CVE-2025-30754","CVE-2025-50059","CVE-2025-50106","UBUNTU-CVE-2025-30749","UBUNTU-CVE-2025-30754","UBUNTU-CVE-2025-50059","UBUNTU-CVE-2025-50106"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7673-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-30749"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-30754"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-50059"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-50106"}],"affected":[{"package":{"name":"openjdk-21-crac","ecosystem":"Ubuntu:25.04","purl":"pkg:deb/ubuntu/openjdk-21-crac@21.0.8+9-0ubuntu2~25.04?arch=source&distro=plucky"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"21.0.8+9-0ubuntu2~25.04"}]}],"versions":["21.0.5+0-0ubuntu2","21.0.5+11-0ubuntu1","21.0.6+7-0ubuntu1","21.0.7+6.1-0ubuntu1~25.04"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"21.0.8+9-0ubuntu2~25.04","binary_name":"openjdk-21-crac-demo"},{"binary_version":"21.0.8+9-0ubuntu2~25.04","binary_name":"openjdk-21-crac-jdk"},{"binary_version":"21.0.8+9-0ubuntu2~25.04","binary_name":"openjdk-21-crac-jdk-headless"},{"binary_version":"21.0.8+9-0ubuntu2~25.04","binary_name":"openjdk-21-crac-jre"},{"binary_version":"21.0.8+9-0ubuntu2~25.04","binary_name":"openjdk-21-crac-jre-headless"},{"binary_version":"21.0.8+9-0ubuntu2~25.04","binary_name":"openjdk-21-crac-jre-zero"},{"binary_version":"21.0.8+9-0ubuntu2~25.04","binary_name":"openjdk-21-crac-source"},{"binary_version":"21.0.8+9-0ubuntu2~25.04","binary_name":"openjdk-21-crac-testsupport"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7673-1.json","cves_map":{"ecosystem":"Ubuntu:25.04","cves":[{"id":"CVE-2025-30749","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2025-30754","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2025-50059","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2025-50106","severity":[{"score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}]}}}],"schema_version":"1.7.3"}