CVE-2026-21975 - Vulnerability Details

- Java VM Crash Vulnerability in Oracle Database Server

Description

Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.29 and 21.3-21.20. Easily exploitable vulnerability allows high privileged attacker having Authenticated User privilege with network access via Oracle Net to compromise Java VM. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Java VM. CVSS 3.1 Base Score 4.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H).

Published: 2026-01-20

Score: 4.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows a high‑privileged authenticated user, who can reach the database over Oracle Net, to cause the Java VM component of Oracle Database Server to crash or hang. The effect is an availability loss; confidentiality or integrity are not affected. Successful exploitation also requires a separate attacker‑controlled user to interact with the system, making the attack more complex.

Affected Systems

Affected products are Oracle Database Server with Java VM for versions 19.3 through 19.29 and 21.3 through 21.20. These versions run the vulnerable Java VM component.

Risk and Exploitability

The CVSS 3.1 base score of 4.5 indicates moderate severity for availability. The EPSS score of under 1% suggests low overall exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires network access via Oracle Net, an authenticated user with high privileges, and a separate human interaction from another person, which reduces the likelihood of automated, widespread attacks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Database Server

affected

Version	Status	Constraints
`19.3`	affected	≤ 19.29
`21.3`	affected	≤ 21.20

Configuration 1 [-]

OR	cpe:2.3:a:oracle:java_virtual_machine::::::::
	cpe:2.3:a:oracle:java_virtual_machine::::::::

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Oracle Database Server patch that includes the Java VM fix, as released in the CPU January 2026 advisory.
If patching immediately is not feasible, disable or remove the Java VM feature from the database startup configuration to prevent accidental crashes.
Continuously monitor database logs for Java VM crash events and configure alerts for abnormal terminations to ensure rapid incident response.

Generated by OpenCVE AI on April 18, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.oracle.com/security-alerts/cpujan2026.html

History

Sat, 18 Apr 2026 16:00:00 +0000

Type	Values Removed	Values Added
Title		Java VM Crash Vulnerability in Oracle Database Server

Thu, 29 Jan 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Oracle java Virtual Machine
CPEs		cpe:2.3:a:oracle:java_virtual_machine::::::::
Vendors & Products		Oracle java Virtual Machine

Wed, 21 Jan 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-404
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 20 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.29 and 21.3-21.20. Easily exploitable vulnerability allows high privileged attacker having Authenticated User privilege with network access via Oracle Net to compromise Java VM. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Java VM. CVSS 3.1 Base Score 4.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H).
First Time appeared		Oracle Oracle database - Java Vm
CPEs		cpe:2.3:a:oracle:database_-_java_vm::::::::
Vendors & Products		Oracle Oracle database - Java Vm
References		https://www.oracle.com/security-alerts/cpujan2026.html
Metrics		cvssV3_1 `{'score': 4.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H'}`

Subscriptions

Oracle Database - Java Vm Java Virtual Machine

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-01-20T21:56:36.948Z

Updated: 2026-01-21T14:36:01.703Z

Reserved: 2026-01-05T18:07:34.716Z

Link: CVE-2026-21975

Vulnrichment

Updated: 2026-01-21T14:35:43.806Z

NVD

Status : Analyzed

Published: 2026-01-20T22:16:00.707

Modified: 2026-01-29T14:46:56.653

Link: CVE-2026-21975

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T15:45:04Z

Weaknesses

CWE-404

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object