Security update for java-1_8_0-openj9

Announcement ID:	SUSE-SU-2026:2036-1
Release Date:	2026-05-21T11:56:22Z
Rating:	important
References:	bsc#1259118 bsc#1262490 bsc#1262494 bsc#1262495 bsc#1262496 bsc#1262497 bsc#1262500 bsc#1265261
Cross-References:	CVE-2026-1188 CVE-2026-22007 CVE-2026-22013 CVE-2026-22016 CVE-2026-22018 CVE-2026-22021 CVE-2026-23865 CVE-2026-34268
CVSS scores:	CVE-2026-1188 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-1188 ( NVD ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVE-2026-1188 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2026-22007 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2026-22007 ( SUSE ): 2.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2026-22007 ( NVD ): 2.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2026-22013 ( SUSE ): 6.0 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2026-22013 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2026-22013 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2026-22016 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2026-22016 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2026-22016 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2026-22018 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2026-22018 ( SUSE ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2026-22018 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2026-22021 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVE-2026-22021 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2026-22021 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2026-23865 ( SUSE ): 4.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVE-2026-23865 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2026-23865 ( NVD ): 5.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L CVE-2026-34268 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N CVE-2026-34268 ( SUSE ): 2.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2026-34268 ( NVD ): 2.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected Products:	SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Real Time 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 SUSE Package Hub 15 15-SP7

An update that solves eight vulnerabilities can now be installed.

Description:

This update for java-1_8_0-openj9 fixes the following issues

• CVE-2026-1188: eclipse: ensure room for separator in omrsysinfo_get_processor_feature_string (bsc#1265261).
• CVE-2026-22007: APIs in the specified component can lead to an unauthorized read access (bsc#1262490).
• CVE-2026-22013: unauthenticated attacker with network access can access to critical data (bsc#1262494).
• CVE-2026-22016: APIs in the specified Component can cause unauthorized access to critical data (bsc#1262495).
• CVE-2026-22018: unauthenticated attacker with network access can cause a partial denial of service (bsc#1262496).
• CVE-2026-22021: APIs in the specified Component can cause a partial denial of service (bsc#1262497).
• CVE-2026-23865: Integer overflow in the tt_var_load_item_variation_store function (bsc#1259118).
• CVE-2026-34268: unauthenticated attacker with logon can gain unauthorized read access (bsc#1262500).

Changes for java-1_8_0-openj9:

• Update to OpenJDK 8u492 build 09 with OpenJ9 0.59.0 virtual machine

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Package Hub 15 15-SP7
  zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2026-2036=1

Package List:

• SUSE Package Hub 15 15-SP7 (ppc64le s390x)
  • java-1_8_0-openj9-headless-1.8.0.492-150200.3.68.1
  • java-1_8_0-openj9-1.8.0.492-150200.3.68.1
  • java-1_8_0-openj9-headless-debuginfo-1.8.0.492-150200.3.68.1
  • java-1_8_0-openj9-accessibility-1.8.0.492-150200.3.68.1
  • java-1_8_0-openj9-devel-debuginfo-1.8.0.492-150200.3.68.1
  • java-1_8_0-openj9-debuginfo-1.8.0.492-150200.3.68.1
  • java-1_8_0-openj9-devel-1.8.0.492-150200.3.68.1
  • java-1_8_0-openj9-src-1.8.0.492-150200.3.68.1
  • java-1_8_0-openj9-demo-1.8.0.492-150200.3.68.1
  • java-1_8_0-openj9-demo-debuginfo-1.8.0.492-150200.3.68.1
  • java-1_8_0-openj9-debugsource-1.8.0.492-150200.3.68.1

References:

• https://www.suse.com/security/cve/CVE-2026-1188.html
• https://www.suse.com/security/cve/CVE-2026-22007.html
• https://www.suse.com/security/cve/CVE-2026-22013.html
• https://www.suse.com/security/cve/CVE-2026-22016.html
• https://www.suse.com/security/cve/CVE-2026-22018.html
• https://www.suse.com/security/cve/CVE-2026-22021.html
• https://www.suse.com/security/cve/CVE-2026-23865.html
• https://www.suse.com/security/cve/CVE-2026-34268.html
• https://bugzilla.suse.com/show_bug.cgi?id=1259118
• https://bugzilla.suse.com/show_bug.cgi?id=1262490
• https://bugzilla.suse.com/show_bug.cgi?id=1262494
• https://bugzilla.suse.com/show_bug.cgi?id=1262495
• https://bugzilla.suse.com/show_bug.cgi?id=1262496
• https://bugzilla.suse.com/show_bug.cgi?id=1262497
• https://bugzilla.suse.com/show_bug.cgi?id=1262500
• https://bugzilla.suse.com/show_bug.cgi?id=1265261