PatchSiren cyber security CVE debrief
CVE-2026-46835 Oracle Corporation CVE debrief
A vulnerability in the Net Service component of Oracle Database Server allows unauthenticated attackers with network access via TLS to cause a complete denial of service (DoS) through hangs or repeatable crashes. The vulnerability affects Oracle Database Server versions 23.4.0 through 23.26.2. The CVSS 3.1 base score of 7.5 reflects high availability impact with no confidentiality or integrity impact. The attack vector is network-based, requires low attack complexity, no privileges, and no user interaction. This vulnerability was disclosed in Oracle's Critical Patch Update for May 2026.
- Vendor
- Oracle Corporation
- Product
- Oracle Database Server
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations running Oracle Database Server versions 23.4.0 through 23.26.2 with Net Service exposed to untrusted networks; database administrators responsible for Oracle patch management; security teams monitoring for DoS vulnerabilities in critical infrastructure; compliance teams tracking Oracle security advisory adherence
Technical summary
The vulnerability exists in Oracle Database Server's Net Service component, which handles network connectivity for Oracle databases. An unauthenticated remote attacker can exploit this flaw by sending crafted TLS traffic to the Net Service listener, causing the service to hang or crash repeatedly. This results in complete loss of availability for database network services. The vulnerability is easily exploitable with no authentication or user interaction required, making it attractive for automated attacks. The attack surface is limited to systems with exposed Oracle Net Service listeners accepting TLS connections.
Defensive priority
HIGH
Recommended defensive actions
- Apply Oracle Critical Patch Update (CPU) for May 2026 as soon as available
- Restrict network access to Oracle Database Net Service listeners to authorized hosts only
- Monitor for unusual TLS connection patterns or Net Service crashes
- Review Oracle security alert for patch availability and deployment guidance
- Consider TLS inspection and rate limiting at network perimeter for database connections
Evidence notes
Oracle Database Server Net Service component; versions 23.4.0-23.26.2 affected. Attack requires network access via TLS. Successful exploitation results in complete DoS of Net Service.
Official resources
-
CVE-2026-46835 CVE record
CVE.org
-
CVE-2026-46835 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Oracle disclosed this vulnerability on 2026-05-28 as part of its Critical Patch Update security advisory.