Constructor of jdk.internal.dynalink.beans.OverloadedDynamicMethod class calls Class.getClassLoader without a doPrivileged block around. While this does not cause any failure usually, it can cause problems. In most cases, extension loader (the loader of dynalink) is the parent chain of most classes and so c.getClassLoader() call without doPrivileged is fine. But there is a possibility a Class is loaded by loader that does not have extension loader in it's parent chain. In such case, dynalink will try to get ClassLoader and security check will be performed. Depending on caller chain, this will fail!