Skip to main content

OpenJDK CVE-2026-10037

| EUVDEUVD-2026-42435 HIGH
Improper Input Validation (CWE-20)
2026-07-08 security@ubuntu.com GHSA-xg8h-3f4m-39v6
8.8
CVSS 3.1 · Vendor: ubuntu
Share

Severity by source

Vendor (ubuntu) PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Attacker is an already-running low-privileged sandboxed process (AV:L, PR:L), no user interaction, and the sandbox-to-host break is a scope change (S:C) yielding full host C/I/A loss.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (ubuntu).

CVSS VectorVendor: ubuntu

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 23:04 EUVD
Analysis Generated
Jul 08, 2026 - 22:31 vuln.today

DescriptionCVE.org

A sandbox escape vulnerability exists in the OpenJDK packages provided in Ubuntu. The .jar MIME handlers installed by these packages execute files marked as executable when the mailcap package is installed. A compromised or malicious sandboxed application with access to the OpenURI portal via xdg-desktop-portal-gtk can write a malicious .jar file to the host file system, set its executable bit, and trigger the handler to execute arbitrary code outside of the sandbox environment.

AnalysisAI

Sandbox escape in the OpenJDK packages shipped by Ubuntu allows a compromised sandboxed application to break out and run arbitrary code on the host. Because the packages' .jar MIME handlers execute any file flagged executable (when the mailcap package is present), an app abusing the OpenURI portal through xdg-desktop-portal-gtk can drop a malicious .jar, set its executable bit, and invoke the handler. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Compromise sandboxed desktop application
Delivery
Write malicious .jar via OpenURI portal
Exploit
Set executable bit on host file
Execution
Trigger OpenJDK mailcap .jar handler
Persist
Execute arbitrary code outside sandbox
Impact
Full host compromise as user

Vulnerability AssessmentAI

Exploitation Exploitation requires all of: an Ubuntu system with the vulnerable OpenJDK package installed and its .jar mailcap MIME handler registered, the mailcap package present (this is the precise 'when installed' trigger that makes handlers execute executable-flagged files), xdg-desktop-portal-gtk running to expose the OpenURI portal, and an already-compromised or malicious sandboxed application that has portal access and can write to a host-reachable filesystem location and set the executable bit. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (8.8) is internally consistent with the description: the attacker is a local, already-running but low-privileged sandboxed process (AV:L, PR:L), needs no victim interaction (UI:N), and the sandbox-to-host break is precisely the scope change (S:C) that drives the high score, with full host C/I/A loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker compromises a Flatpak/Snap-confined application on an Ubuntu desktop (for example via a malicious document or a supply-chain-tainted app) and, from inside the sandbox, uses the OpenURI portal exposed by xdg-desktop-portal-gtk to write a crafted .jar to a host-accessible path, mark it executable, and request that it be opened. The OpenJDK mailcap handler then runs the jar outside the sandbox, giving the attacker arbitrary code execution with the desktop user's full host privileges. …
Remediation No vendor-released patch identified at time of analysis; the only reference is the Ubuntu Launchpad tracking bug (https://bugs.launchpad.net/ubuntu/+source/openjdk-25/+bug/2153100), so monitor Ubuntu Security Notices for the fixed openjdk package versions and upgrade as soon as they publish. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Ubuntu systems running OpenJDK packages and identify those hosting sandboxed applications. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10037 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy