CVE-2026-46834 - Vulnerability Details

- Denial of Service via TLS in Oracle Database Server Net Service

Description

Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Net Service. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Published: 2026-05-28

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Net Service component of Oracle Database Server allows an unauthenticated network attacker with TLS connectivity to force a hang or crash of the service. The vulnerability is easily exploitable and results in a complete denial of service to any client attempting to use the service. The weakness directly impacts availability with no known influence on confidentiality or integrity.

Affected Systems

Oracle Corporation’s Oracle Database Server is affected for versions 23.4.0 through 23.26.2. The Net Service component within these releases is the specific target of the vulnerability.

Risk and Exploitability

The CVSS 3.1 base score of 7.5 indicates high severity, with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Because the attack requires only inbound TLS traffic and no credentials, an attacker can initiate the exploit from any external network host. EPSS data are not available and the vulnerability is not listed in CISA’s KEV catalog, but the ease of exploitation and high availability impact warrant prompt action. Successful remote exploitation would cause repeated crashes of the Net Service, disrupting database connectivity and potentially cascading to other dependent applications.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Database Server

affected

Version	Status	Constraints
`23.4.0`	affected	≤ 23.26.2

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the Oracle patch or upgrade to a version where the Net Service bug is fixed, as advertised in the Oracle security advisory
Restrict inbound TLS connections to the Net Service by configuring firewall rules or access control lists so only trusted IP ranges can reach the service
Enable automated monitoring and restart of the Net Service so that any crashes are detected and the service is brought back online quickly

Generated by OpenCVE AI on May 28, 2026 at 21:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0004.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://www.oracle.com/security-alerts/cspumay2026.html

History

Fri, 29 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 28 May 2026 21:45:00 +0000

Type	Values Removed	Values Added
Title		Denial of Service via TLS in Oracle Database Server Net Service
Weaknesses		CWE-400

Thu, 28 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Net Service. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
First Time appeared		Oracle Oracle database - Net Service
CPEs		cpe:2.3:a:oracle:database_-_net_service::::::::
Vendors & Products		Oracle Oracle database - Net Service
References		https://www.oracle.com/security-alerts/cspumay2026.html
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Oracle Database - Net Service

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-05-28T20:17:15.591Z

Updated: 2026-05-29T15:31:10.773Z

Reserved: 2026-05-18T15:55:10.305Z

Link: CVE-2026-46834

Vulnrichment

Updated: 2026-05-29T15:31:04.165Z

NVD

Status : Undergoing Analysis

Published: 2026-05-28T21:16:33.330

Modified: 2026-05-29T16:16:30.400

Link: CVE-2026-46834

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T21:30:26Z

Weaknesses

CWE-400

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object