CVE-2026-21947
Description
Vulnerability in Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u471-b50. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A difficult-to-exploit vulnerability in Oracle Java SE JavaFX allows unauthenticated network attackers to modify data with user interaction.
Vulnerability
Overview
CVE-2026-21947 is a vulnerability in the JavaFX component of Oracle Java SE, specifically affecting Java SE 8u471-b50 [1]. The root cause resides in how the JavaFX runtime handles certain operations, potentially allowing an attacker to bypass integrity checks and modify application data.
Exploitation
Conditions
Exploitation requires an unauthenticated attacker with network access to communicate with a target system via multiple protocols [1]. The vulnerability is classified as difficult to exploit and necessitates human interaction from a person other than the attacker, such as tricking a user into visiting a malicious webpage or opening a crafted file [1]. The attack surface is limited to Java deployments that load untrusted code in a sandbox environment, such as Java Web Start applications or applets [1].
Impact
Successful exploitation permits an attacker to perform unauthorized update, insert, or delete operations on some of Oracle Java SE accessible data [1]. The CVSS 3.1 base score is 3.1, reflecting low integrity impact with no confidentiality or availability impact [1].
Mitigation
Oracle has not yet released a patch for this vulnerability in the affected Java SE version [1]. Users should apply the latest security updates from Oracle when available and consider restricting Java Web Start and applet execution as a workaround. The vulnerability also affects Siemens SIMATIC CN 4100 devices, for which Siemens recommends updating to version V5.0 or later [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: = 8u471-b50
- Range: = 8u471-b50
- Oracle Corporation/Oracle Java SEv5Range: 8u471-b50
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
1- Siemens SIMATICCISA ICS Advisories