Skip to main content

Oracle Solaris CVE-2026-46914

| EUVDEUVD-2026-37233 HIGH
Improper Privilege Management (CWE-269)
2026-06-16 oracle
7.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
7.1 HIGH

Local logon required (AV:L, PR:L); easily exploitable per Oracle (AC:L); no user interaction; gives full read of accessible data (C:H) and full OS crash (A:H) with no integrity impact (I:N).

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:12 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Filesystem). The supported version that is affected is 11.4. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Solaris accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris. CVSS 3.1 Base Score 7.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).

AnalysisAI

Local privilege abuse in Oracle Solaris 11.4 allows a low-privileged authenticated user with logon access to the host to read sensitive filesystem data and trigger a complete denial of service of the operating system. Oracle's June 2026 Critical Patch Update lists this as easily exploitable through the Filesystem component, with a CVSS 3.1 base score of 7.1; no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged shell on Solaris 11.4 host
Delivery
Invoke vulnerable Filesystem component operation
Exploit
Read protected filesystem data outside privilege scope
Execution
Re-trigger flaw to hang or panic kernel
Impact
Complete denial of service of Solaris instance

Vulnerability AssessmentAI

Exploitation Attacker must have an interactive local logon on the Oracle Solaris 11.4 host (CVSS AV:L, PR:L) and the ability to invoke the vulnerable Filesystem component code path; no user interaction by another account is required (UI:N) and attack complexity is low (AC:L), meaning no race window or special tuning. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H places this firmly in the 'local but easy' tier: any user who can log in to a Solaris 11.4 host can both exfiltrate sensitive filesystem data (C:H) and crash the OS (A:H) without user interaction, but they cannot reach it over the network and cannot tamper with data (I:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A developer or batch-job account with an ordinary shell on a shared Solaris 11.4 build server abuses the vulnerable Filesystem code path to read files belonging to other tenants or to root (for example, private keys or database credentials) and, in the same session, triggers the bug a second time to hang or crash the host, causing a complete outage of the workloads on that node. Because attack complexity is low and no user interaction is required, the action can be scripted and repeated; no public exploit identified at time of analysis, but the conditions favor straightforward weaponization once technical details emerge.
Remediation Apply the Filesystem fixes from Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html) by installing the corresponding Solaris 11.4 SRU on every affected host - Patch available per vendor advisory; the specific patched SRU number is not included in the input data and should be taken directly from the CPU matrix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all Solaris 11.4 systems in your environment. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46914 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy