Description
Vulnerability in the Oracle Solaris product of Oracle Systems (component: Filesystems). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris. CVSS 3.1 Base Score 5.0 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H).
Published: 2026-01-20
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The flaw is a resource exhaustion condition, identified as CWE‑400, that allows a low privileged attacker who is logged on to an Oracle Solaris host to induce a hang or crash. An attacker must cause the vulnerable component to execute and requires another person’s interaction to trigger the effect. Once activated, the service runs out of usable resources, leading to a complete denial of service for the affected system.

Affected Systems

Oracle Solaris versions 10 and 11 are affected. The vulnerability is present in the file system component of these operating systems and therefore applies to any infrastructure running either of these Solaris releases.

Risk and Exploitability

The CVSS 3.1 base score of 5.0 indicates a medium severity with an availability impact. The EPSS score being below 1% suggests a very low likelihood of exploitation at the present time, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because the attack requires only local low‑privileged credentials and a human interaction step, it can be executed relatively easily on an exposed system. The primary risk is repeated crashes that can disrupt services and degrade system availability, especially in environments where Solaris is run as a critical component of a larger infrastructure.

Generated by OpenCVE AI on April 18, 2026 at 15:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle Solaris patch available in the January 2026 CPU release to address the resource exhaustion flaw.
  • Restrict local logon privileges for users who do not need to access the affected file‑system services to reduce the attack surface.
  • Monitor system logs for repeated hang or crash events and investigate any unexpected service restarts.
  • If a patch cannot be applied immediately, isolate the affected machine from the production network and restrict access to the vulnerable filesystem APIs.

Generated by OpenCVE AI on April 18, 2026 at 15:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Title Low Privilege Denial of Service via Filesystem Hang in Oracle Solaris 10 and 11

Thu, 29 Jan 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:oracle:solaris:10:*:*:*:*:*:*:*
cpe:2.3:o:oracle:solaris:11:*:*:*:*:*:*:*

Wed, 21 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Solaris product of Oracle Systems (component: Filesystems). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris. CVSS 3.1 Base Score 5.0 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H).
First Time appeared Oracle
Oracle solaris
CPEs cpe:2.3:a:oracle:solaris:10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:solaris:11:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle solaris
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Oracle Solaris
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-01-21T14:59:59.056Z

Reserved: 2026-01-05T18:07:34.711Z

Link: CVE-2026-21942

cve-icon Vulnrichment

Updated: 2026-01-21T14:59:51.527Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T22:15:57.027

Modified: 2026-01-29T20:35:17.903

Link: CVE-2026-21942

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:45:04Z

Weaknesses