Skip to main content

Oracle Solaris EUVDEUVD-2026-37233

| CVE-2026-46914 HIGH
Improper Privilege Management (CWE-269)
2026-06-16 oracle
7.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
7.1 HIGH

Local logon required (AV:L, PR:L); easily exploitable per Oracle (AC:L); no user interaction; gives full read of accessible data (C:H) and full OS crash (A:H) with no integrity impact (I:N).

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:12 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Filesystem). The supported version that is affected is 11.4. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Solaris accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris. CVSS 3.1 Base Score 7.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H).

AnalysisAI

Local privilege abuse in Oracle Solaris 11.4 allows a low-privileged authenticated user with logon access to the host to read sensitive filesystem data and trigger a complete denial of service of the operating system. Oracle's June 2026 Critical Patch Update lists this as easily exploitable through the Filesystem component, with a CVSS 3.1 base score of 7.1; no public exploit identified at time of analysis and the issue is not on the CISA KEV list.

Technical ContextAI

The flaw resides in the Filesystem component of Oracle Solaris 11.4, Oracle's enterprise UNIX platform commonly deployed on SPARC and x86 server infrastructure (CPE cpe:2.3:a:oracle_corporation:oracle_solaris:*). Although NVD does not assign a CWE, the combination of high confidentiality and high availability impact with no integrity impact, reached via local access, is characteristic of a filesystem access-control or resource-handling defect - for example improper permission enforcement on a virtual filesystem object or an unchecked condition that lets a local user read protected data and panic/hang the kernel. The 'Authentication Bypass' tag from the input intelligence suggests the underlying weakness may let a logged-in user reach data or operations normally gated by stronger filesystem authorization.

RemediationAI

Apply the Filesystem fixes from Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html) by installing the corresponding Solaris 11.4 SRU on every affected host - Patch available per vendor advisory; the specific patched SRU number is not included in the input data and should be taken directly from the CPU matrix. Until the SRU is deployed, reduce blast radius by restricting interactive logon on Solaris 11.4 systems to trusted administrators (tighten /etc/security/policy.conf, PAM, and RBAC profiles, and remove shell access for service or batch accounts), and monitor for unexpected system panics or hangs that could indicate exploitation attempts; the trade-off is reduced operational flexibility for shared-use hosts and possible disruption to automation accounts that legitimately need login. Do not rely on network controls alone - the vector is local (AV:L), so firewalling will not mitigate.

Share

EUVD-2026-37233 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy