CVE-2026-46835: Oracle Database Server Net Service Denial of Service (CVSS 7.5)
A flaw in Oracle Database Server's Net Service component allows attackers on the network to remotely crash or hang the service without needing valid credentials. The vulnerability affects versions 23.4.0 through 23.26.2 and is triggered via TLS connections, making it accessible to any attacker with network connectivity to the affected database service.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-400
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Net Service. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-46835 is a denial-of-service vulnerability in the Net Service component of Oracle Database Server (versions 23.4.0–23.26.2). The flaw exhibits the characteristics of a resource exhaustion or state-management defect (CWE-400) that can be triggered through TLS-based network traffic without authentication. Exploitation requires no special privileges, no user interaction, and minimal attack complexity. The vulnerability results in either a temporary service hang or a complete crash, with no confidentiality or integrity impact—only availability is affected.
Business impact
Successful exploitation causes denial of service to the Oracle Database Server's network connectivity layer. Database-dependent applications become unreachable, user sessions drop, and business processes relying on database access halt. Recovery typically requires manual service restart, incurring downtime and operational overhead. Organizations running affected versions face repeated attack surface exposure unless patched, particularly in environments where the database server is exposed to untrusted networks.
Affected systems
Oracle Database Server versions 23.4.0 through 23.26.2 are confirmed vulnerable. Organizations should audit their database deployment inventory to identify systems within this version range. Other components of Oracle Database and other Oracle products are not mentioned as affected by this specific flaw.
Exploitability
This vulnerability is easily exploitable. An unauthenticated attacker requires only network access to the affected database server's TLS port—no valid database credentials, no special tooling, and no user interaction. The low attack complexity and absence of authentication requirements make this a straightforward attack vector for any adversary with basic network access to the target.
Remediation
Apply security patches issued by Oracle for CVE-2026-46835 to affected Oracle Database Server instances. Verify patch version compatibility and test in a non-production environment before production deployment. Organizations unable to patch immediately should implement network-level access controls to restrict connections to the database server's TLS port to trusted sources only, and monitor for signs of denial-of-service attacks.
Patch guidance
Contact Oracle for official patch advisories and version-specific updates addressing CVE-2026-46835 for Oracle Database Server 23.4.0–23.26.2. Patches should be applied in accordance with Oracle's change management and release notes. Schedule patching during maintenance windows to minimize downtime, and verify that post-patch database operations function as expected before restoring full production load.
Detection guidance
Monitor database server logs and network traffic for repeated TLS connection attempts followed by service crashes or hangs. Track process exit codes and service availability metrics for unexpected restarts. Implement network intrusion detection rules to identify suspicious patterns of connections to the database TLS port from external or untrusted sources. Alert on any correlation between failed connection attempts and service unavailability.
Why prioritize this
This vulnerability merits high priority due to its high CVSS score (7.5), ease of exploitation, lack of authentication requirements, and direct impact on service availability. Unlike vulnerabilities requiring user interaction or special privileges, this flaw is trivial to trigger and can be weaponized at scale by any attacker with network visibility to affected systems. Database availability is often critical to business continuity, making denial-of-service flaws in this component particularly disruptive.
Risk score, explained
The CVSS 3.1 score of 7.5 reflects a high-severity availability impact with a network attack vector, no authentication requirement, and low complexity. The score does not account for confidentiality or integrity breaches—only the ability to disrupt service. Organizations should consider context-specific risk factors: databases exposed to the internet warrant urgent remediation, while internal-only databases with strict network segmentation may allow a slightly longer remediation window.
Frequently asked questions
Can this vulnerability be exploited without network access to the database server?
No. The vulnerability requires direct network access to the affected database server's TLS port. If your database is protected by firewalls or segmented on a trusted internal network with restricted inbound access, the practical attack surface is reduced. However, any internal user or compromised system with network access to the database could potentially trigger the flaw.
Does this vulnerability affect earlier versions of Oracle Database Server?
The vulnerability is confirmed in versions 23.4.0 through 23.26.2. Earlier major releases (such as 21c or 19c) are not listed as affected by this specific CVE. However, you should verify against Oracle's official advisory, as version numbering and lineage can be complex across Oracle's product releases.
What is the difference between a 'hang' and a 'crash' in this context?
A hang means the Net Service becomes unresponsive but the process may still be running; a crash means the process terminates entirely. Both result in denial of service. A hanging service may be harder to detect automatically and could require administrative intervention to kill and restart the process.
If we cannot patch immediately, what interim mitigations help?
Restrict network access to the database server's TLS port to only authorized IP addresses and ranges using firewalls or network ACLs. Implement rate limiting on connection attempts. Monitor service availability and error logs closely for signs of exploitation, and maintain runbooks for rapid service restart in case of crashes.
This analysis is based on publicly disclosed vulnerability information current as of the published date. Patch version numbers and detailed remediation steps must be verified against Oracle's official security advisories and release notes. Network and system configurations vary; assess this vulnerability's risk within your specific environment. For critical deployments, engage Oracle support or a professional security consultant for guidance tailored to your infrastructure. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-35266HIGHOracle REST Data Services Authentication & Data Integrity Vulnerability
- CVE-2026-35277HIGHOracle REST Data Services Authorization Bypass
- CVE-2026-46829HIGHOracle REST Data Services Unauthenticated Denial-of-Service Vulnerability
- CVE-2026-46834HIGHOracle Database Net Service DoS Vulnerability (CVSS 7.5)
- CVE-2026-46843MEDIUMOracle REST Data Services DoS Vulnerability—Patch Guidance
- CVE-2024-14036HIGHDräger Core Denial of Service via Malformed SDC Messages
- CVE-2026-10069HIGHShibby Tomato miniupnpd Resource Exhaustion Vulnerability
- CVE-2026-37234HIGHFlexRIC E42 Resource Leak via Multiple xapp_id Binding