CVE-2013-2465

CVE-2013-2465 is a critical-severity vulnerability in Oracle Jre with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-03-28). The underlying weakness is classified as CWE-693.

Key facts

Description

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "Incorrect image channel verification" in 2D.

CVE-2013-2465: Critical Java 2D Image Channel Verification Vulnerability

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE CVE-2013-2465
Published 2013-06-18
CVSS v2 10.0 (Critical)
CVSS v3 9.8 (Critical)
EPSS 0.98704
KEV Yes (added 2022-03-28)
CWE CWE-693

Summary

CVE-2013-2465 is an unspecified vulnerability in the Java Runtime Environment (JRE) 2D component. The flaw allows remote attackers to affect confidentiality, integrity, and availability through unknown vectors. Third-party analysis suggests the root cause involves incorrect image channel verification in the Java 2D library, which can be leveraged to bypass the Java sandbox.

Background

The Java 2D API is a core component of the Java platform that provides two-dimensional graphics, image processing, and text rendering capabilities. In June 2013, Oracle disclosed this vulnerability as part of its Critical Patch Update (CPU). The vulnerability is particularly severe because it affects the default JRE installation and can be exploited without authentication.

Root Cause

CWE-693: Protection Mechanism Failure. The vulnerability stems from improper validation of image channel data within the Java 2D component. According to third-party analysis, the flaw involves "incorrect image channel verification," which may allow a malicious applet or application to corrupt memory or bypass security checks that enforce the Java sandbox.

Impact

  • CVSS v2: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
  • CVSS v3: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

This is a critical remote code execution vulnerability. A successful exploit can lead to complete compromise of the target system, including full confidentiality, integrity, and availability loss. The vulnerability is network-exploitable with low attack complexity and no required privileges or user interaction.

Exploitation Walkthrough

Defensive perspective only. An attacker would likely deliver a malicious Java applet or web-start application containing a specially crafted image. When the Java 2D library processes the image, the incorrect channel verification could lead to memory corruption or sandbox escape.

Ethics caveat: This description is for defensive understanding only. The actual exploit techniques involve memory corruption primitives; attempting to reproduce them on systems without explicit authorization is illegal and unethical.

Affected and Patched Versions

Affected:

  • Oracle Java SE 7 Update 21 and earlier
  • Oracle Java SE 6 Update 45 and earlier
  • Oracle Java SE 5.0 Update 45 and earlier
  • OpenJDK 7

Patched:

  • Patched versions were released in Oracle's June 2013 Critical Patch Update.
  • OpenSUSE Tumbleweed: patched in java-1_7_0-openjdk version 1.7.0.121-1.1 or later.

Remediation

  1. Upgrade immediately: Install the latest Java updates from Oracle or your operating system vendor. Java 7, 6, and 5 are all end-of-life; migration to a supported Java version (Java 8 or later) is strongly recommended.
  2. Disable Java in browsers: If Java is not required for web applications, disable the browser plugin entirely.
  3. Application whitelisting: Use application control policies to prevent unauthorized Java execution.
  4. Network segmentation: Isolate systems that require legacy Java from untrusted networks.

Detection

  • Monitor for execution of outdated Java versions in your environment.
  • Use vulnerability scanners to detect installations of Java 7u21, 6u45, and 5u45 or earlier.
  • Network monitoring may reveal suspicious applet traffic, though exploit traffic can be obfuscated.
  • Reference: Vicarius detection guidance

Assessment

CVE-2013-2465 carries an EPSS score of 0.98704 (98.7% probability of exploitation in the wild) and has been listed in CISA's Known Exploited Vulnerabilities catalog since 2022-03-28. The high exploitability and wide deployment of vulnerable Java versions make this a persistent threat, particularly in legacy environments that still run outdated Java.

Key lessons:

  1. Legacy software components with broad attack surfaces (like Java 2D) require proactive patch management.
  2. End-of-life software should be prioritized for replacement rather than incremental patching.

References

Frequently asked questions

What is CVE-2013-2465?
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "Incorrect image channel verification" in 2D.
How severe is CVE-2013-2465?
CVE-2013-2465 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2013-2465 being actively exploited?
Yes. CVE-2013-2465 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-03-28, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2013-2465?
CVE-2013-2465 primarily affects Oracle Jre. In total, 104 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2013-2465?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2013-2465 have an EU (EUVD) identifier?
Yes. CVE-2013-2465 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2013-2411. It is also flagged as exploited in the EUVD (since 2022-03-28).
When was CVE-2013-2465 published?
CVE-2013-2465 was published on 2013-06-18 and last updated on 2026-06-16.

References

Affected products (104)

More vulnerabilities in Oracle Jre

All CVEs affecting Oracle Jre →

Other CWE-693 (Protection Mechanism Failure) vulnerabilities

Browse all CWE-693 (Protection Mechanism Failure) vulnerabilities →