Skip to main content

Oracle Database Server EUVDEUVD-2026-33014

| CVE-2026-46834 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-05-28 oracle GHSA-2qv6-qqvc-2gcp
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:22 vuln.today

DescriptionCVE.org

Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Net Service. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

AnalysisAI

Remote denial-of-service in Oracle Database Server's Net Service component (versions 23.4.0 through 23.26.2) allows unauthenticated attackers with TLS network access to hang or repeatedly crash the listener, producing a complete DoS of database connectivity. The flaw is rated CVSS 7.5 (availability-only) and was disclosed by Oracle in the May 2026 Critical Patch Update; no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Technical ContextAI

Oracle Net Services is the connectivity layer that brokers client/server sessions to the Oracle Database (typically via the TNS Listener on port 1521 or TLS-enabled equivalents such as 2484). The affected CPE is cpe:2.3:a:oracle_corporation:oracle_database_server, scoped to the 23c release line (23.4.0-23.26.2). No CWE was assigned by Oracle, but the symptom - a remotely triggered hang or repeatable crash reached over TLS without authentication - is consistent with an unhandled exception or resource-exhaustion class defect in the TLS handshake or TNS protocol parsing prior to session authentication, since exploitation does not require valid credentials.

RemediationAI

Apply the fixes shipped in the Oracle Critical Patch Update of May 2026 (https://www.oracle.com/security-alerts/cspumay2026.html); patch availability is confirmed by the vendor advisory but an exact post-fix build number is not provided in this input, so consult the CPU matrix for the precise RU/RUR that supersedes 23.26.2 in your environment. As a compensating control until patching, restrict TCP/IP reachability of the TNS listener (default 1521 and any TCPS/TLS port such as 2484) to known application tiers via firewall or Oracle Connection Manager / valnode (TCP.VALIDNODE_CHECKING with TCP.INVITED_NODES) - the trade-off is operational overhead and the risk of breaking ad-hoc DBA tooling. Where TLS is not strictly required, temporarily disabling the TCPS endpoint removes the specific attack path described but obviously eliminates encrypted client connectivity. Monitor listener.log and alert.log for repeated abnormal disconnects or listener restarts as a detection signal.

Share

EUVD-2026-33014 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy