From 6a067247ecd413931efbec93beca8e27aef76790 Mon Sep 17 00:00:00 2001
From: David Konigsberg <72822263+davidkonigsberg@users.noreply.github.com>
Date: Mon, 18 May 2026 06:24:51 -0400
Subject: [PATCH 1/2] chore(java): fix CVE-2026-41989 by updating libgcrypt in
 Docker image (#15963)

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
---
 generators/java/sdk/Dockerfile                               | 5 ++++-
 .../sdk/changes/unreleased/fix-cve-2026-41989-libgcrypt.yml  | 4 ++++
 2 files changed, 8 insertions(+), 1 deletion(-)
 create mode 100644 generators/java/sdk/changes/unreleased/fix-cve-2026-41989-libgcrypt.yml

diff --git a/generators/java/sdk/Dockerfile b/generators/java/sdk/Dockerfile
index 1c75a9c55a29..e6c85713eaa3 100644
--- a/generators/java/sdk/Dockerfile
+++ b/generators/java/sdk/Dockerfile
@@ -74,6 +74,8 @@ RUN rm -f /opt/gradle/lib/plugins/bcpg-jdk18on-*.jar \
 # Security update 2026-05-04: add glibc/glibc-common/glibc-minimal-langpack
 # (CVE-2026-4046, iconv() assertion failure when converting IBM1390/IBM1399
 # inputs; fixed in glibc 2.34-231.amzn2023.0.4)
+# Security update 2026-05-18: add libgcrypt (CVE-2026-41989, heap-based
+# buffer overflow in gcry_pk_decrypt; fixed in 1.10.2-1.amzn2023.0.3)
 RUN dnf --releasever=latest update -y \
     openssl-fips-provider-latest \
     openssl-libs \
@@ -96,7 +98,8 @@ RUN dnf --releasever=latest update -y \
     libnghttp2 \
     glibc \
     glibc-common \
-    glibc-minimal-langpack && \
+    glibc-minimal-langpack \
+    libgcrypt && \
     dnf remove -y git-lfs wget || true && \
     dnf clean all && \
     rm -rf /var/cache/dnf
diff --git a/generators/java/sdk/changes/unreleased/fix-cve-2026-41989-libgcrypt.yml b/generators/java/sdk/changes/unreleased/fix-cve-2026-41989-libgcrypt.yml
new file mode 100644
index 000000000000..a91810d9dbcd
--- /dev/null
+++ b/generators/java/sdk/changes/unreleased/fix-cve-2026-41989-libgcrypt.yml
@@ -0,0 +1,4 @@
+- summary: |
+    Fix CVE-2026-41989: update libgcrypt in Docker image to patch heap-based
+    buffer overflow in gcry_pk_decrypt.
+  type: chore

From 62fcd9134a3586e40ee705191179d8cc3b4bdfd1 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Mon, 18 May 2026 10:29:09 +0000
Subject: [PATCH 2/2] chore(java): release 4.8.9

---
 .../fix-cve-2026-41989-libgcrypt.yml                      | 0
 generators/java/sdk/versions.yml                          | 8 ++++++++
 2 files changed, 8 insertions(+)
 rename generators/java/sdk/changes/{unreleased => 4.8.9}/fix-cve-2026-41989-libgcrypt.yml (100%)

diff --git a/generators/java/sdk/changes/unreleased/fix-cve-2026-41989-libgcrypt.yml b/generators/java/sdk/changes/4.8.9/fix-cve-2026-41989-libgcrypt.yml
similarity index 100%
rename from generators/java/sdk/changes/unreleased/fix-cve-2026-41989-libgcrypt.yml
rename to generators/java/sdk/changes/4.8.9/fix-cve-2026-41989-libgcrypt.yml
diff --git a/generators/java/sdk/versions.yml b/generators/java/sdk/versions.yml
index ae3ec9a1f448..2ba740652589 100644
--- a/generators/java/sdk/versions.yml
+++ b/generators/java/sdk/versions.yml
@@ -1,4 +1,12 @@
 # yaml-language-server: $schema=../../../fern-versions-yml.schema.json
+- version: 4.8.9
+  changelogEntry:
+    - summary: |
+        Fix CVE-2026-41989: update libgcrypt in Docker image to patch heap-based
+        buffer overflow in gcry_pk_decrypt.
+      type: chore
+  createdAt: "2026-05-18"
+  irVersion: 66
 - version: 4.8.8
   changelogEntry:
     - summary: |