CVE-2026-21926 - Vulnerability Details

Description

Vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM (component: Server Infrastructure). Supported versions that are affected are 17.0-25.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Siebel CRM Deployment. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Siebel CRM Deployment. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Published: 2026-01-20

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability exists in the Server Infrastructure component of Oracle Siebel CRM Deployment that allows an unauthenticated attacker with network access via TLS to trigger a crash or repeated hang, resulting in a denial of service. The flaw does not compromise confidentiality or integrity, but it can completely stop the deployment service from functioning.

Affected Systems

Oracle Corporation: Siebel CRM Deployment, versions 17.0 through 25.2, specifically the Server Infrastructure component; any environment running these versions is vulnerable.

Risk and Exploitability

The CVSS 3.1 base score of 7.5 indicates high severity. The EPSS score is below 1%, suggesting low but non-zero exploitation likelihood, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the issue remotely over network TLS connections without requiring authentication, making the attack readily achievable for anyone who can reach the deployment service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Siebel CRM Deployment

affected

Version	Status	Constraints
`17.0`	affected	≤ 25.2

Configuration 1 [-]

cpe:2.3:a:oracle:siebel_customer_relationship_management_deployment:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Oracle Customer Advisory and patch released in January 2026 for versions 17.0–25.2.
If patching is not immediately feasible, limit network access to the deployment service to trusted IP ranges and consider enforcing TLS client certificates.
Deploy an application‑level firewall or access control that filters malicious packets and monitor logs for repeated crash attempts.

Generated by OpenCVE AI on April 18, 2026 at 04:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00053.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://www.oracle.com/security-alerts/cpujan2026.html

History

Thu, 29 Jan 2026 21:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Oracle siebel Customer Relationship Management Deployment
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:oracle:siebel_customer_relationship_management_deployment::::::::
Vendors & Products		Oracle siebel Customer Relationship Management Deployment

Wed, 21 Jan 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 20 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM (component: Server Infrastructure). Supported versions that are affected are 17.0-25.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Siebel CRM Deployment. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Siebel CRM Deployment. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
First Time appeared		Oracle Oracle siebel Crm Deployment
CPEs		cpe:2.3:a:oracle:siebel_crm_deployment::::::::
Vendors & Products		Oracle Oracle siebel Crm Deployment
References		https://www.oracle.com/security-alerts/cpujan2026.html
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Oracle Siebel Crm Deployment Siebel Customer Relationship Management Deployment

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-01-20T21:56:21.443Z

Updated: 2026-01-21T20:51:46.300Z

Reserved: 2026-01-05T18:07:34.708Z

Link: CVE-2026-21926

Vulnrichment

Updated: 2026-01-21T20:51:39.118Z

NVD

Status : Analyzed

Published: 2026-01-20T22:15:55.050

Modified: 2026-01-29T21:22:10.120

Link: CVE-2026-21926

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T04:45:36Z

Weaknesses

NVD-CWE-noinfo

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object