How is CVE-2026-46834 exploited?

Network reachability (required): The attacker must reach the Oracle Database Server Net Service over the network via TLS; no local or physical access is required. Authentication (not-required): No credentials of any kind are needed; the attack can be launched by any unauthenticated party with network access. Victim interaction (not-required): No user or administrator action is needed to trigger the vulnerability; the attacker operates entirely without victim participation. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup beyond basic network connectivity.

What is the impact of CVE-2026-46834?

Crashes or hangs the Oracle Database Server Net Service process, cutting off all network-layer database connectivity for the duration of the attack. The disruption is repeatable, meaning an attacker can sustain the outage by re-triggering the crash in a loop without needing to re-authenticate or re-establish any session state. No confidential data is read and no data is modified; impact is limited entirely to availability of the Net Service component.

Back to search

HIGHCVE-2026-46834Published 2026-05-28Modified 2026-05-29CNA oracle

CVE-2026-46834: Vulnerability in the Net Service component of Oracle Database Server

Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Net Service. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

HarborGuard Analysis

HarborGuard analysis

Synopsis

A denial-of-service vulnerability exists in the Net Service component of Oracle Database Server versions 23.4.0 through 23.26.2. An unauthenticated attacker with network access can reach the service over TLS and trigger a hang or repeatable crash of Net Service, requiring no credentials and no victim interaction. Successful exploitation completely disrupts the availability of the database's network service layer. No fix version has been published yet; HarborGuard tracks the advisory and will surface a patched-image rebuild the moment Oracle releases a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-46834 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream Oracle and NVD feeds, including custom-built images that bundle Oracle Database Server. Coverage applies to all images in connected registries and active CI/CD pipelines.

Available

Triage

Triage is available using the CVSS 3.1 base score of 7.5 (HIGH), with per-environment compliance policy weighting applied to prioritize routing within each customer organization. Findings are directed to the appropriate team inbox based on each org's defined ownership rules.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the Oracle advisory and upstream package feeds on every ingest cycle. The moment Oracle publishes a patched release, a rebuilt image at that fix version becomes available, and customers with auto-remediation enabled will receive a regression-test run and a PR opened against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Oracle Database Server Net Service over the network via TLS; no local or physical access is required.
AuthenticationNot required
No credentials of any kind are needed; the attack can be launched by any unauthenticated party with network access.
Victim interactionNot required
No user or administrator action is needed to trigger the vulnerability; the attacker operates entirely without victim participation.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup beyond basic network connectivity.

Blast Radius

Crashes or hangs the Oracle Database Server Net Service process, cutting off all network-layer database connectivity for the duration of the attack.
The disruption is repeatable, meaning an attacker can sustain the outage by re-triggering the crash in a loop without needing to re-authenticate or re-establish any session state.
No confidential data is read and no data is modified; impact is limited entirely to availability of the Net Service component.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46834 is active across connected registries and pipelines, matching any image that bundles an affected Oracle Database Server build in the 23.4.0-23.26.2 range. Because Oracle has not yet published a fix, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically once upstream ships a corrected release. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated without manual intervention. In the interim, compensating controls worth considering include isolating database hosts behind network policies that restrict TLS access to the Net Service port to known application-tier subnets only, applying egress filtering to limit lateral reachability, and reviewing whether any internet-facing listeners can be disabled or fronted by a proxy that validates connection state before forwarding to the database.

See how HarborGuard automates this

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Oracle Corporation / Oracle Database Server
≤ 23.26.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Oracle Advisory