CVE-2026-21928 - Vulnerability Details

- Unauthorized Data Disclosure via Network in Oracle Solaris 11 Kernel

Description

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel). The supported version that is affected is 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise Oracle Solaris. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Solaris accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

Published: 2026-01-20

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The CVE affects the kernel component of Oracle Solaris 11 and permits unauthenticated attackers with TCP network access to read a subset of data that the operating system exposes. The flaw arises from missing confidentiality controls, enabling an adversary to obtain sensitive information without user interaction. The disclosed data could include system configuration or confidential files, impacting confidentiality while leaving integrity and availability unaffected.

Affected Systems

Affected product: Oracle Solaris 11 from Oracle Corporation. The vulnerability is present in the supported version 11 and is not limited to any subversion numbers indicated in the advisory.

Risk and Exploitability

CVSS 3.1 Base Score of 5.3 indicates moderate severity with a confidentiality impact. EPSS is reported as less than 1%, suggesting a low but nonzero probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a network-based TCP connection to a service that interfaces with the kernel, and the exploitation does not require any special privileges or user interaction, making it relatively easy for an attacker to achieve the intended data read if the system is reachable over the network.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Solaris

affected

Version	Status	Constraints
`11`	affected	—

Configuration 1 [-]

cpe:2.3:o:oracle:solaris:11:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official Oracle Solaris 11 patch released in the January 2026 security update cycle
Restrict network access to the Solaris system, especially to services that interface directly with the kernel
Adopt Oracle’s latest security hardening guidelines to limit exposed data paths
Monitor network traffic for unusual access patterns that might indicate exploitation attempts

Generated by OpenCVE AI on April 18, 2026 at 04:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://www.oracle.com/security-alerts/cpujan2026.html

History

Sat, 18 Apr 2026 05:00:00 +0000

Type	Values Removed	Values Added
Title		Unauthorized Data Disclosure via Network in Oracle Solaris 11 Kernel

Tue, 03 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-200

Thu, 29 Jan 2026 21:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:o:oracle:solaris:11:::::::*

Wed, 21 Jan 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 20 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel). The supported version that is affected is 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise Oracle Solaris. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Solaris accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
First Time appeared		Oracle Oracle solaris
CPEs		cpe:2.3:a:oracle:solaris:11:::::::*
Vendors & Products		Oracle Oracle solaris
References		https://www.oracle.com/security-alerts/cpujan2026.html
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Oracle Solaris

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-01-20T21:56:22.236Z

Updated: 2026-03-03T15:53:41.941Z

Reserved: 2026-01-05T18:07:34.709Z

Link: CVE-2026-21928

Vulnrichment

Updated: 2026-01-21T20:52:37.059Z

NVD

Status : Modified

Published: 2026-01-20T22:15:55.303

Modified: 2026-03-03T16:16:20.373

Link: CVE-2026-21928

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T04:45:36Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object