CVE-2026-46834: Oracle Database Net Service DoS Vulnerability (CVSS 7.5)
A denial-of-service vulnerability exists in Oracle Database Server's Net Service component that allows an unauthenticated attacker on the network to crash or hang the service repeatedly. The attacker needs only network access and can exploit this over TLS without providing credentials or user interaction. The vulnerability affects versions 23.4.0 through 23.26.2 of Oracle Database Server.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-400
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Net Service. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46834 is a network-accessible denial-of-service flaw in the Oracle Database Server Net Service component, rooted in improper resource handling (CWE-400). The vulnerability is easily exploitable due to a low attack complexity, no authentication requirement, and no user interaction needed. An unauthenticated network attacker can send crafted TLS traffic to trigger uncontrolled resource consumption, resulting in service unavailability. The CVSS 3.1 score of 7.5 reflects the high availability impact with no confidentiality or integrity compromise.
Business impact
This vulnerability poses a direct operational risk to organizations running Oracle Database Server in the affected versions. An attacker can cause repeated denial-of-service conditions, disrupting database availability and cascading to dependent applications and services. This impact intensifies in environments where database uptime is critical to business continuity, particularly for transaction-heavy or mission-critical systems. Recovery requires manual intervention and service restart, extending downtime and potential revenue loss.
Affected systems
Oracle Database Server versions 23.4.0 through 23.26.2 are affected. Any deployment of these versions with the Net Service component exposed to untrusted network segments is at risk. Organizations should audit their Oracle Database infrastructure to identify which systems run affected versions and assess their network exposure.
Exploitability
This vulnerability is highly exploitable. It requires only network access and can be triggered via standard TLS connections without authentication or user interaction. The low attack complexity means an attacker does not need specialized techniques or timing conditions. The absence of KEV status does not indicate low exploit risk; the technical characteristics alone indicate straightforward exploitability for any attacker with network reach to the Oracle Net Service listener port.
Remediation
Patching is the primary remediation. Organizations must upgrade Oracle Database Server to a patched version outside the affected range (verify against the Oracle critical patch advisory for the specific patch version addressing this CVE). Interim mitigation includes restricting network access to the Oracle Net Service listener to trusted hosts only, using firewall rules or host-based access controls to limit connections to administrative networks and known client systems.
Patch guidance
Consult the Oracle critical patch advisory corresponding to the CVE publication date (2026-05-28) to identify the specific patched version for your Oracle Database Server release. Apply patches during a scheduled maintenance window, as they typically require database restart. Test patches in a non-production environment first to verify compatibility with existing applications and custom configurations. Prioritize patching for systems exposed to untrusted networks.
Detection guidance
Monitor Oracle Database Net Service logs for repeated connection resets, listener crashes, or service hangs that correlate with unexpected network traffic. Network sensors should flag suspicious TLS traffic patterns targeting the Oracle listener port (default 1521) from unexpected sources. Check for sudden spikes in resource consumption or connection attempts. Establish baseline monitoring of Net Service availability and trigger alerts on anomalous terminations.
Why prioritize this
This vulnerability merits rapid prioritization due to its high CVSS score (7.5), ease of exploitation, lack of authentication barriers, and direct impact on database availability. While it does not enable data theft or system compromise, denial-of-service attacks on databases undermine operational continuity. Organizations should treat this with the same urgency as active threats to their database infrastructure. The affected version range (23.4.0–23.26.2) suggests relatively recent releases, likely deployed in modern environments.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) is driven by network accessibility (AV:N), low attack complexity (AC:L), no authentication requirement (PR:N), no user interaction (UI:N), and high availability impact (A:H). The absence of confidentiality and integrity impacts prevents a critical rating. For organizations dependent on continuous database availability, the actual risk may warrant internal elevation above the base CVSS score when factored with business criticality.
Frequently asked questions
Can an attacker steal data or modify records using this vulnerability?
No. This vulnerability only causes denial-of-service (crashes or hangs). It does not enable unauthorized data access, confidentiality compromise, or data modification. An attacker cannot bypass authentication or alter database contents.
Do I need to apply this patch immediately, or can we schedule it for regular maintenance?
Given the high CVSS score and ease of exploitation, patch as soon as operationally feasible—ideally within days rather than weeks. If your Oracle listener is accessible only from trusted internal networks, you have some additional flexibility, but exposure to untrusted networks should trigger immediate remediation.
What if we cannot patch immediately?
Implement network segmentation immediately: restrict inbound connections to the Oracle Net Service listener (default port 1521) to only trusted administrative and client hosts. Use firewall rules or host-based access controls. Monitor listener logs and service health closely. This is a temporary measure; patching must follow as soon as possible.
Does this affect Oracle Cloud Database services or only on-premises Oracle Database?
The CVE specifically affects Oracle Database Server versions 23.4.0–23.26.2. Verify your deployment model and version with your system administrator or Oracle support. Cloud-hosted versions may have different patch timelines; contact your cloud provider for their patch status and timeline.
This analysis is based on the official CVE record and CVSS vector published as of 2026-06-17. Security advisories and patch availability may be updated by Oracle; consult the latest Oracle Security Alert for current patch version numbers and detailed remediation steps. This vulnerability does not appear on CISA's Known Exploited Vulnerabilities catalog as of this publication date, but lack of KEV status does not indicate low risk. Organizations are responsible for validating patch compatibility in their environment before production deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-35266HIGHOracle REST Data Services Authentication & Data Integrity Vulnerability
- CVE-2026-35277HIGHOracle REST Data Services Authorization Bypass
- CVE-2026-46829HIGHOracle REST Data Services Unauthenticated Denial-of-Service Vulnerability
- CVE-2026-46835HIGHOracle Database Server Net Service Denial of Service (CVSS 7.5)
- CVE-2026-46843MEDIUMOracle REST Data Services DoS Vulnerability—Patch Guidance
- CVE-2024-14036HIGHDräger Core Denial of Service via Malformed SDC Messages
- CVE-2026-10069HIGHShibby Tomato miniupnpd Resource Exhaustion Vulnerability
- CVE-2026-37234HIGHFlexRIC E42 Resource Leak via Multiple xapp_id Binding