How is CVE-2026-46835 exploited?

Network reachability (required): The attacker must be able to reach the Oracle Database Server Net Service component over the network via TLS; no local or physical access is needed, but the service must be network-exposed. Authentication (not-required): No credentials or account of any privilege level are needed; the attacker can send malformed TLS traffic as an anonymous, unauthenticated client. Victim interaction (not-required): No user or administrator action is required to trigger the vulnerability; the attacker alone drives the exploit. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and repeatable with no dependency on race conditions, memory layout, or other environmental factors.

What is the impact of CVE-2026-46835?

The Net Service component crashes or hangs, making the Oracle Database Server unreachable to all connecting clients. The crash is described as frequently repeatable, so an attacker can sustain the outage by re-triggering it after any automatic recovery. All database operations dependent on Net Service (queries, transactions, connections) are interrupted for the duration of the denial-of-service condition. No confidential data is read and no data is modified; impact is confined entirely to availability of the service.

Back to search

HIGHCVE-2026-46835Published 2026-05-28Modified 2026-05-29CNA oracle

CVE-2026-46835: Vulnerability in the Net Service component of Oracle Database Server

Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Net Service. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

HarborGuard Analysis

HarborGuard analysis

Synopsis

A denial-of-service vulnerability exists in the Net Service component of Oracle Database Server, affecting versions 23.4.0 through 23.26.2. An unauthenticated attacker reachable over the network via TLS can exploit this without any user interaction, requiring no account or special conditions. Successful exploitation causes a hang or repeatedly crashable complete denial of service of the Net Service component. No fix version has been published yet; HarborGuard tracks the upstream advisory and will flag availability of a patched rebuild the moment Oracle ships a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-46835 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built Oracle Database Server images in customer registries and CI/CD pipelines. Any image shipping an affected Net Service version in the 23.4.0 to 23.26.2 range is flagged automatically.

Available

Triage

HarborGuard triage capability applies the CVSS 3.1 score of 7.5 (HIGH) to each matched finding, weighted against the per-environment compliance policy configured by each customer organization. Findings are routed to the appropriate team inbox based on policy rules, so the right people see the alert without manual sorting.

Available

Patch

No fix version has been published by Oracle for this CVE. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the Oracle Database Server Net Service component over the network via TLS; no local or physical access is needed, but the service must be network-exposed.
AuthenticationNot required
No credentials or account of any privilege level are needed; the attacker can send malformed TLS traffic as an anonymous, unauthenticated client.
Victim interactionNot required
No user or administrator action is required to trigger the vulnerability; the attacker alone drives the exploit.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and repeatable with no dependency on race conditions, memory layout, or other environmental factors.

Blast Radius

The Net Service component crashes or hangs, making the Oracle Database Server unreachable to all connecting clients.
The crash is described as frequently repeatable, so an attacker can sustain the outage by re-triggering it after any automatic recovery.
All database operations dependent on Net Service (queries, transactions, connections) are interrupted for the duration of the denial-of-service condition.
No confidential data is read and no data is modified; impact is confined entirely to availability of the service.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46835 is active across customer environments scanning Oracle Database Server images in the 23.4.0 to 23.26.2 range. Because Oracle has not yet published a fix, no patched-image rebuild is available at this time. HarborGuard monitors the advisory on every ingest cycle and will surface a rebuild the moment an upstream patch is released; for customers with auto-remediation enabled, the rebuild, regression run, and PR flow will trigger automatically at that point. In the interim, recommended compensating controls include applying network policy to restrict TLS access to the Net Service port to known, trusted source addresses only, enabling egress filtering to limit lateral exposure, and placing the database tier behind a firewall or service mesh policy that prevents unauthenticated external connections from reaching the listener directly.

See how HarborGuard automates this

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Oracle Corporation / Oracle Database Server
≤ 23.26.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Oracle Advisory