CVE & CISA-KEV Catalog

CVE-2026-22865

HIGH
7.4
CVSS v3
NVD

Description

Gradle is a build automation tool, and its native-platform tool provides Java bindings for native APIs. When resolving dependencies in versions before 9.3.0, some exceptions were not treated as fatal errors and would not cause a repository to be disabled. If a build encountered one of these exceptions, Gradle would continue to the next repository in the list and potentially resolve dependencies from a different repository. An exception like NoHttpResponseException can indicate transient errors. If the errors persist after a maximum number of retries, Gradle would continue to the next repository. This behavior could allow an attacker to disrupt the service of a repository and leverage another repository to serve malicious artifacts. This attack requires the attacker to have control over a repository after the disrupted repository. Gradle has introduced a change in behavior in Gradle 9.3.0 to stop searching other repositories when encountering these errors.

How to fix

Remediation Available
gradleNVD
Affected:>= 9.0.0, < 9.3.0Fixed in:9.3.0CVE-2026-22865derived from NVD

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityHigh
Privileges RequiredNone
User InteractionNone
ScopeUnchanged

Impact

ConfidentialityHigh
IntegrityHigh
AvailabilityNone

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploit Intelligence

0.14%probability of exploitation in 30 days
3rdpercentile

Low risk: more likely to be exploited than 3% of all known CVEs.

References

Vendor Advisory1
Embed a live status badge for CVE-2026-22865
CVE-2026-22865 severity badge

Markdown

[![CVE-2026-22865](https://tridentstack.com/cve/badge/CVE-2026-22865.svg)](https://tridentstack.com/cve/CVE-2026-22865)

HTML

<a href="https://tridentstack.com/cve/CVE-2026-22865"><img src="https://tridentstack.com/cve/badge/CVE-2026-22865.svg" alt="CVE-2026-22865"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-02-18.