Skip to main content

Oracle Database CVE-2026-46833

| EUVDEUVD-2026-33013 CRITICAL
2026-05-28 oracle GHSA-54vv-8mw9-m99f
9.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.0 CRITICAL
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:23 vuln.today

DescriptionCVE.org

Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. While the vulnerability is in Net Service, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Net Service. CVSS 3.1 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Net Service takeover in Oracle Database Server 23.4.0 through 23.26.2 allows unauthenticated remote attackers reaching the TLS-protected Net Service listener to fully compromise confidentiality, integrity, and availability, with scope change indicating impact on adjacent components. CVSS 9.0 reflects high impact tempered by high attack complexity (AC:H), and no public exploit identified at time of analysis. Reported and tracked in Oracle's May 2026 Critical Patch Update advisory.

Technical ContextAI

Oracle Net Services is the connectivity layer (formerly SQL*Net) that brokers client-server communication for Oracle Database, including TNS Listener and the encrypted TLS transport used by Oracle Net. The affected CPE (cpe:2.3:a:oracle_corporation:oracle_database_server) covers Oracle Database Server 23c (versions 23.4.0 through 23.26.2). No CWE is published, but the scope-change behavior (S:C) combined with TLS-layer compromise suggests a flaw in the network protocol handling or TLS implementation within Net Services that allows the attacker's privileges to extend beyond the vulnerable component into other Oracle subsystems that trust Net Service-mediated connections.

RemediationAI

Apply the patches published in Oracle's May 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspumay2026.html); exact fixed version is documented in the CPU matrix and should be applied per Oracle's recommended upgrade path for 23c deployments running 23.4.0-23.26.2. Until patched, restrict network reachability to the Oracle Net listener (typically TCP/1521 or the TLS port TCP/2484) using firewalls or Oracle Connection Manager so that only trusted application tiers can reach Net Service - note this breaks any direct database access from untrusted networks and requires bastion or proxy access for DBAs. Enable Oracle Valid Node Checking (tcp.invited_nodes / tcp.validnode_checking in sqlnet.ora) as a compensating control to limit which client IPs can complete a connection, accepting the operational overhead of maintaining the allow-list.

Share

CVE-2026-46833 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy