CVE-2026-46835 - Vulnerability Details

- Unauthenticated TLS-based Denial of Service in Oracle Database Server Net Service

Description

Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Net Service. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Published: 2026-05-28

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability in the Net Service component of Oracle Database Server permits an unauthenticated attacker with network access via TLS to force the service to hang or crash repeatedly. The exploitation results in a denial‑of‑service condition that disrupts database availability but does not compromise data confidentiality or integrity.

Affected Systems

Oracle Corporation’s Oracle Database Server Net Service is impacted. Supported versions affected include 23.4.0 through 23.26.2. The issue is specific to the network service layer and does not extend to other database components.

Risk and Exploitability

The CVSS score of 7.5 indicates a high availability impact with no authentication required and low attack complexity. The vulnerability is exploitable over the network via TLS, allowing unsolicited connections to trigger the crash. EPSS is unavailable and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is an unauthenticated network connection over TLS to the Net Service; this inference is derived from the description, which states an unauthenticated attacker with network access via TLS can exploit the vulnerability.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Database Server

affected

Version	Status	Constraints
`23.4.0`	affected	≤ 23.26.2

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Deploy the Oracle Database Server patch as detailed in the official Oracle Security Alert for May 2026
Configure network firewalls to restrict TLS traffic to the Net Service port to only trusted hosts
Monitor Net Service uptime and resource usage, and immediately reboot or restart the service upon detecting hangs or frequent crashes

Generated by OpenCVE AI on May 28, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0004.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://www.oracle.com/security-alerts/cspumay2026.html

History

Fri, 29 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 28 May 2026 22:15:00 +0000

Type	Values Removed	Values Added
Title		Unauthenticated TLS-based Denial of Service in Oracle Database Server Net Service
Weaknesses		CWE-400

Thu, 28 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Net Service. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
First Time appeared		Oracle Oracle database - Net Service
CPEs		cpe:2.3:a:oracle:database_-_net_service::::::::
Vendors & Products		Oracle Oracle database - Net Service
References		https://www.oracle.com/security-alerts/cspumay2026.html
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Oracle Database - Net Service

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-05-28T20:17:15.933Z

Updated: 2026-05-29T15:31:55.460Z

Reserved: 2026-05-18T15:55:10.305Z

Link: CVE-2026-46835

Vulnrichment

Updated: 2026-05-29T15:31:49.165Z

NVD

Status : Undergoing Analysis

Published: 2026-05-28T21:16:33.450

Modified: 2026-05-29T16:16:30.520

Link: CVE-2026-46835

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T22:00:14Z

Weaknesses

CWE-400

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object