CVE-2013-2465
CVE-2013-2465 is a critical-severity vulnerability in Oracle Jre with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-28). The underlying weakness is classified as CWE-693.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 10.0
- EPSS exploit prediction: 99% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-03-28)
- EU (EUVD) id: EUVD-2013-2411
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-03-28)
- Weakness: CWE-693
- Affected product: Oracle Jre
- Published:
- Last modified:
Description
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "Incorrect image channel verification" in 2D.
CVE-2013-2465: Critical Java 2D Image Channel Verification Vulnerability
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE | CVE-2013-2465 |
| Published | 2013-06-18 |
| CVSS v2 | 10.0 (Critical) |
| CVSS v3 | 9.8 (Critical) |
| EPSS | 0.98704 |
| KEV | Yes (added 2022-03-28) |
| CWE | CWE-693 |
Summary
CVE-2013-2465 is an unspecified vulnerability in the Java Runtime Environment (JRE) 2D component. The flaw allows remote attackers to affect confidentiality, integrity, and availability through unknown vectors. Third-party analysis suggests the root cause involves incorrect image channel verification in the Java 2D library, which can be leveraged to bypass the Java sandbox.
Background
The Java 2D API is a core component of the Java platform that provides two-dimensional graphics, image processing, and text rendering capabilities. In June 2013, Oracle disclosed this vulnerability as part of its Critical Patch Update (CPU). The vulnerability is particularly severe because it affects the default JRE installation and can be exploited without authentication.
Root Cause
CWE-693: Protection Mechanism Failure. The vulnerability stems from improper validation of image channel data within the Java 2D component. According to third-party analysis, the flaw involves "incorrect image channel verification," which may allow a malicious applet or application to corrupt memory or bypass security checks that enforce the Java sandbox.
Impact
- CVSS v2: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
- CVSS v3: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
This is a critical remote code execution vulnerability. A successful exploit can lead to complete compromise of the target system, including full confidentiality, integrity, and availability loss. The vulnerability is network-exploitable with low attack complexity and no required privileges or user interaction.
Exploitation Walkthrough
Defensive perspective only. An attacker would likely deliver a malicious Java applet or web-start application containing a specially crafted image. When the Java 2D library processes the image, the incorrect channel verification could lead to memory corruption or sandbox escape.
Ethics caveat: This description is for defensive understanding only. The actual exploit techniques involve memory corruption primitives; attempting to reproduce them on systems without explicit authorization is illegal and unethical.
Affected and Patched Versions
Affected:
- Oracle Java SE 7 Update 21 and earlier
- Oracle Java SE 6 Update 45 and earlier
- Oracle Java SE 5.0 Update 45 and earlier
- OpenJDK 7
Patched:
- Patched versions were released in Oracle's June 2013 Critical Patch Update.
- OpenSUSE Tumbleweed: patched in
java-1_7_0-openjdkversion1.7.0.121-1.1or later.
Remediation
- Upgrade immediately: Install the latest Java updates from Oracle or your operating system vendor. Java 7, 6, and 5 are all end-of-life; migration to a supported Java version (Java 8 or later) is strongly recommended.
- Disable Java in browsers: If Java is not required for web applications, disable the browser plugin entirely.
- Application whitelisting: Use application control policies to prevent unauthorized Java execution.
- Network segmentation: Isolate systems that require legacy Java from untrusted networks.
Detection
- Monitor for execution of outdated Java versions in your environment.
- Use vulnerability scanners to detect installations of Java 7u21, 6u45, and 5u45 or earlier.
- Network monitoring may reveal suspicious applet traffic, though exploit traffic can be obfuscated.
- Reference: Vicarius detection guidance
Assessment
CVE-2013-2465 carries an EPSS score of 0.98704 (98.7% probability of exploitation in the wild) and has been listed in CISA's Known Exploited Vulnerabilities catalog since 2022-03-28. The high exploitability and wide deployment of vulnerable Java versions make this a persistent threat, particularly in legacy environments that still run outdated Java.
Key lessons:
- Legacy software components with broad attack surfaces (like Java 2D) require proactive patch management.
- End-of-life software should be prioritized for replacement rather than incremental patching.
References
- Oracle June 2013 CPU: http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
- CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-2465
- US-CERT Alert TA13-169A: http://www.us-cert.gov/ncas/alerts/TA13-169A
- Vicarius Detection: https://www.vicarius.io/vsociety/posts/cve-2013-2465-detect-java-vulnerability
- Vicarius Mitigation: https://www.vicarius.io/vsociety/posts/cve-2013-2465-mitigate-java-vulnerability
- Red Hat RHSA-2013-0963: http://rhn.redhat.com/errata/RHSA-2013-0963.html
- OpenJDK Fix: http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/2a9c79db0040
Frequently asked questions
- What is CVE-2013-2465?
- Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "Incorrect image channel verification" in 2D.
- How severe is CVE-2013-2465?
- CVE-2013-2465 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2013-2465 being actively exploited?
- Yes. CVE-2013-2465 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-28, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2013-2465?
- CVE-2013-2465 primarily affects Oracle Jre. In total, 104 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2013-2465?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2013-2465 have an EU (EUVD) identifier?
- Yes. CVE-2013-2465 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2013-2411. It is also flagged as exploited in the EUVD (since 2022-03-28).
- When was CVE-2013-2465 published?
- CVE-2013-2465 was published on 2013-06-18 and last updated on 2026-06-16.
References
- http://advisories.mageia.org/MGASA-2013-0185.html
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03898880
- http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/2a9c79db0040
- http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00026.html
- http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00027.html
- http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00028.html
- http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00029.html
- http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00031.html
- http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00003.html
- http://marc.info/?l=bugtraq&m=137545505800971&w=2
- http://marc.info/?l=bugtraq&m=137545592101387&w=2
- http://rhn.redhat.com/errata/RHSA-2013-0963.html
- http://rhn.redhat.com/errata/RHSA-2013-1059.html
- http://rhn.redhat.com/errata/RHSA-2013-1060.html
- http://rhn.redhat.com/errata/RHSA-2013-1081.html
- http://rhn.redhat.com/errata/RHSA-2013-1455.html
- http://rhn.redhat.com/errata/RHSA-2013-1456.html
- http://secunia.com/advisories/54154
- http://security.gentoo.org/glsa/glsa-201406-32.xml
- http://www-01.ibm.com/support/docview.wss?uid=swg21642336
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:183
- http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
- http://www.securityfocus.com/bid/60657
- http://www.us-cert.gov/ncas/alerts/TA13-169A
- https://access.redhat.com/errata/RHSA-2014:0414
- https://bugzilla.redhat.com/show_bug.cgi?id=975118
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17106
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19074
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19455
Affected products (104)
- cpe:2.3:a:oracle:jre:1.7.0:-:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update1:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update10:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update11:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update13:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update15:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update17:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update2:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update21:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update3:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update4:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update5:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update6:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update7:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update9:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.6.0:-:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.6.0:update22:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.6.0:update23:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.6.0:update24:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.6.0:update25:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.6.0:update26:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.6.0:update27:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.6.0:update29:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.6.0:update30:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.6.0:update31:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.6.0:update32:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.6.0:update33:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.6.0:update34:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.6.0:update35:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.6.0:update37:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.6.0:update38:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.6.0:update39:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.6.0:update41:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.6.0:update43:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.6.0:update45:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:1.6.0:update_1:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:1.6.0:update_10:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:1.6.0:update_11:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:1.6.0:update_12:*:*:*:*:*:*
- cpe:2.3:a:sun:jre:1.6.0:update_13:*:*:*:*:*:*
More vulnerabilities in Oracle Jre
- CVE-2016-0494 — Critical (CVSS 10.0): Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and…
- CVE-2016-0483 — Critical (CVSS 10.0): Unspecified vulnerability in Oracle Java SE 6u105, 7u91, and 8u66; Java SE Embedded 8u65; and JRockit R28.3.8 allows…
- CVE-2015-4883 — Critical (CVSS 10.0): Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers…
- CVE-2015-4881 — Critical (CVSS 10.0): Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers…
- CVE-2015-4860 — Critical (CVSS 10.0): Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers…
- CVE-2015-4844 — Critical (CVSS 10.0): Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers…
All CVEs affecting Oracle Jre →
Other CWE-693 (Protection Mechanism Failure) vulnerabilities
- CVE-2026-47140 — Critical (CVSS 10.0): vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins…
- CVE-2026-34208 — Critical (CVSS 10.0): SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects…
- CVE-2026-34938 — Critical (CVSS 10.0): PraisonAI is a multi-agent teams system. Prior to version 1.5.90, execute_code() in praisonai-agents runs…
- CVE-2026-2761 — Critical (CVSS 10.0): Sandbox escape in the Graphics: WebRender component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33,…
- CVE-2022-32845 — Critical (CVSS 10.0): This issue was addressed with improved checks. This issue is fixed in watchOS 8.7, iOS 15.6 and iPadOS 15.6, macOS…
- CVE-2026-45102 — Critical (CVSS 9.9): OneUptime is an open-source monitoring and observability platform. Prior to 10.0.98, OneUptime uses the Node.js' vm…
Browse all CWE-693 (Protection Mechanism Failure) vulnerabilities →