Security update for java-1_8_0-openjdk

Announcement ID:	SUSE-SU-2026:1955-1
Release Date:	2026-05-18T07:56:14Z
Rating:	important
References:	bsc#1259118 bsc#1262490 bsc#1262494 bsc#1262495 bsc#1262496 bsc#1262497 bsc#1262500
Cross-References:	CVE-2026-22007 CVE-2026-22013 CVE-2026-22016 CVE-2026-22018 CVE-2026-22021 CVE-2026-23865 CVE-2026-34268
CVSS scores:	CVE-2026-22007 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2026-22007 ( SUSE ): 2.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2026-22007 ( NVD ): 2.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2026-22013 ( SUSE ): 6.0 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2026-22013 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2026-22013 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2026-22016 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2026-22016 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2026-22016 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2026-22018 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2026-22018 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2026-22018 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2026-22021 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2026-22021 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2026-22021 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2026-23865 ( SUSE ): 4.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVE-2026-23865 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2026-23865 ( NVD ): 5.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2026-34268 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2026-34268 ( SUSE ): 2.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2026-34268 ( NVD ): 2.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected Products:	Legacy Module 15-SP7 SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server 15 SP4 LTSS SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server 15 SP5 LTSS SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server 15 SP6 LTSS SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP7

An update that solves seven vulnerabilities can now be installed.

Description:

This update for java-1_8_0-openjdk fixes the following issues

• CVE-2026-22007: APIs in the specified component can lead to an unauthorized read access (bsc#1262490).
• CVE-2026-22013: unauthenticated attacker with network access can access to critical data (bsc#1262494).
• CVE-2026-22016: APIs in the specified Component can cause unauthorized access to critical data (bsc#1262495).
• CVE-2026-22018: unauthenticated attacker with network access can cause a partial denial of service (bsc#1262496).
• CVE-2026-22021: APIs in the specified Component can cause a partial denial of service (bsc#1262497).
• CVE-2026-23865: Integer overflow in the tt_var_load_item_variation_store function (bsc#1259118).
• CVE-2026-34268: unauthenticated attacker with logon can gain unauthorized read access (bsc#1262500).

Changes for java-1_8_0-openjdk:

• Update to version jdk8u492 (icedtea 3.39.0)

• JDK-8056039: Hotspot does not compile with clang 3.4 on Linux

• JDK-8074840: Resolve disabled warnings for libjli and libjli_static
• JDK-8132786: java/security/cert/CertPathValidator/OCSP/ /AIACheck.java fails intermittently
• JDK-8153147: Mark java/net/BindException/Test.java as intermittently failing
• JDK-8157758: JDK9 does not compile on Linux with GCC 6.1 because left-shifting a negative number has undefined behavior
• JDK-8170464: Remove shell script from compiler/c2/cr7005594/Test7005594.java
• JDK-8174734: Safepoint sync time did not increase
• JDK-8186149: quarantine gc/survivorAlignment/ /TestPromotionFromSurvivorToTenuredAfterMinorGC.java
• JDK-8220658: Improve the readability of container information in the error log
• JDK-8223145: Replace wildcard address with loopback or local host in tests - part 1
• JDK-8225487: giflib legal file is missing attribution for openbsd-reallocarray.c.
• JDK-8237834: com/sun/jndi/ldap/LdapDnsProviderTest.java failing with LDAP response read timeout
• JDK-8251189: com/sun/jndi/ldap/LdapDnsProviderTest.java failed due to timeout
• JDK-8264524: jdk/internal/platform/docker/ /TestDockerMemoryMetrics.java fails due to swapping not working
• JDK-8274893: Update java.desktop classes to use try-with-resources
• JDK-8277159: Fix java/nio/file/FileStore/Basic.java test by ignoring /run/user/* mount points
• JDK-8284758: [linux] improve print_container_info
• JDK-8285836: sun/net/www/http/KeepAliveCache/ /KeepAliveProperty.java failed with "RuntimeException: Failed in server"
• JDK-8287011: Improve container information
• JDK-8303482: Update LCMS to 2.15
• JDK-8312518: [macos13] setFullScreenWindow() shows black screen on macOS 13 & above
• JDK-8313770: jdk/internal/platform/docker/ /TestSystemMetrics.java fails on Ubuntu
• JDK-8328999: Update GIFlib to 5.2.2
• JDK-8339271: giflib attribution correction
• JDK-8343622: AesDkCrypto.stringToKey should not return null
• JDK-8345578: New test in JDK-8343622 fails with a promoted build
• JDK-8347911: Limit the length of inflated text chunks
• JDK-8348014: Enhance certificate processing
• JDK-8350813: Rendering of bulky sound bank from MIDI sequence can cause OutOfMemoryError
• JDK-8353657: [8u] Test tools/launcher/VersionCheck.java fails with debug build
• JDK-8360869: jcstress is able to crash jdk8 on aarch64 with jfr on
• JDK-8361748: Enforce limits on the size of an XBM image
• JDK-8364373: Transform Affine transformations
• JDK-8364465: Enhance behavior of some intrinsics
• JDK-8364660: ClassVerifier::ends_in_athrow() should be removed
• JDK-8369226: GHA: Switch to MacOS 15
• JDK-8369282: Distrust TLS server certificates anchored by Chunghwa ePKI Root CA
• JDK-8369575: Enhance crypto algorithm support
• JDK-8370529: Enhance Path Factories Redux
• JDK-8370615: Improve Kerberos credentialing
• JDK-8370986: Enhance Zip file reading
• JDK-8370995: Enhance ZipFile usage
• JDK-8371830: Enhance certificate chain validation
• JDK-8371935: Enhance key generation
• JDK-8372660: [8u] ProblemList TestCPUAwareness until 8370492 is addressed
• JDK-8373250: Bump update version of OpenJDK: 8u492
• JDK-8373290: Update FreeType to 2.14.1
• JDK-8373476: (tz) Update Timezone Data to 2025c
• JDK-8373727: New XBM images parser regression: only the first line of the bitmap array is parsed
• JDK-8374899: [8u] Fully handle clang as the toolchain in flags.m4
• JDK-8374917: [8u] C++ flags get passed to C compiles in the HotSpot build
• JDK-8374948: [8u] saproc & jsig builds add duplicate linker flags on Darwin/MacOS
• JDK-8375063: Update Libpng to 1.6.54
• JDK-8375189: [8u] Problem list CAInterop.java#microsoftrsa2017
• JDK-8376225: [8u] GHA: Apply work-around for missing JNF for MacOSX builds
• JDK-8376272: [8u] Windows x86-32 fails to build after JDK-8359501
• JDK-8376338: Test7005594.sh fails when given a memory value with decimals
• JDK-8376352: [8u] Build failure on Windows 32-bit after JDK-8362308
• JDK-8377344: [8u] Compilation failure on Windows for Linux-specific platform metric tests
• JDK-8377526: Update Libpng to 1.6.55
• JDK-8379035: (tz) Update Timezone Data to 2026a
• JDK-8379158: Update FreeType to 2.14.2
• JDK-8379256: Update GIFlib to 6.1.1
• JDK-8380078: Update GIFlib to 6.1.2
• JDK-8380959: Update Libpng to 1.6.56
• JDK-8382047: Update Libpng to 1.6.57
• Bug fixes
• JDK-8162545, GH37: Mac build failure

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-1955=1
• SUSE Linux Enterprise Server 15 SP5 LTSS
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-1955=1
• SUSE Linux Enterprise Server 15 SP6 LTSS
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-1955=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP4
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2026-1955=1
• Legacy Module 15-SP7
  zypper in -t patch SUSE-SLE-Module-Legacy-15-SP7-2026-1955=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP5
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2026-1955=1
• SUSE Linux Enterprise Server for SAP Applications 15 SP6
  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-1955=1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
  zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-1955=1
• SUSE Linux Enterprise Server 15 SP4 LTSS
  zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-1955=1

Package List:

• SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (aarch64 x86_64)
  • java-1_8_0-openjdk-demo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-headless-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-devel-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-headless-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-demo-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-devel-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-debugsource-1.8.0.492-150000.3.120.1
• SUSE Linux Enterprise Server 15 SP5 LTSS (aarch64 ppc64le s390x x86_64)
  • java-1_8_0-openjdk-demo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-headless-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-devel-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-headless-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-demo-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-devel-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-debugsource-1.8.0.492-150000.3.120.1
• SUSE Linux Enterprise Server 15 SP6 LTSS (aarch64 ppc64le s390x x86_64)
  • java-1_8_0-openjdk-demo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-headless-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-devel-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-headless-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-demo-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-devel-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-debugsource-1.8.0.492-150000.3.120.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP4 (ppc64le x86_64)
  • java-1_8_0-openjdk-demo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-headless-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-devel-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-headless-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-demo-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-devel-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-debugsource-1.8.0.492-150000.3.120.1
• Legacy Module 15-SP7 (aarch64 ppc64le s390x x86_64)
  • java-1_8_0-openjdk-demo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-headless-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-devel-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-headless-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-demo-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-devel-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-debugsource-1.8.0.492-150000.3.120.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP5 (ppc64le x86_64)
  • java-1_8_0-openjdk-demo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-headless-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-devel-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-headless-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-demo-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-devel-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-debugsource-1.8.0.492-150000.3.120.1
• SUSE Linux Enterprise Server for SAP Applications 15 SP6 (ppc64le x86_64)
  • java-1_8_0-openjdk-demo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-headless-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-devel-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-headless-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-demo-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-devel-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-debugsource-1.8.0.492-150000.3.120.1
• SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (aarch64 x86_64)
  • java-1_8_0-openjdk-demo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-headless-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-devel-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-headless-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-demo-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-devel-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-debugsource-1.8.0.492-150000.3.120.1
• SUSE Linux Enterprise Server 15 SP4 LTSS (aarch64 ppc64le s390x x86_64)
  • java-1_8_0-openjdk-demo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-headless-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-devel-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-headless-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-demo-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-devel-debuginfo-1.8.0.492-150000.3.120.1
  • java-1_8_0-openjdk-debugsource-1.8.0.492-150000.3.120.1

References:

• https://www.suse.com/security/cve/CVE-2026-22007.html
• https://www.suse.com/security/cve/CVE-2026-22013.html
• https://www.suse.com/security/cve/CVE-2026-22016.html
• https://www.suse.com/security/cve/CVE-2026-22018.html
• https://www.suse.com/security/cve/CVE-2026-22021.html
• https://www.suse.com/security/cve/CVE-2026-23865.html
• https://www.suse.com/security/cve/CVE-2026-34268.html
• https://bugzilla.suse.com/show_bug.cgi?id=1259118
• https://bugzilla.suse.com/show_bug.cgi?id=1262490
• https://bugzilla.suse.com/show_bug.cgi?id=1262494
• https://bugzilla.suse.com/show_bug.cgi?id=1262495
• https://bugzilla.suse.com/show_bug.cgi?id=1262496
• https://bugzilla.suse.com/show_bug.cgi?id=1262497
• https://bugzilla.suse.com/show_bug.cgi?id=1262500