Introduction
An unauthenticated network vulnerability in Oracle Database Server's Java VM component allows remote attackers to read critical data without any credentials or user interaction, scoring a CVSS 7.5 for its confidentiality impact alone. With Oracle holding the top position in global database management system rankings and a score of 1157.93 on the DB Engines Ranking as of April 2026, the potential blast radius of CVE-2026-35229 across enterprise environments is substantial.
Technical Information
CVE-2026-35229 resides in the Java VM component of Oracle Database Server. The vulnerability is characterized by its CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, which tells us quite a bit about the nature and severity of the flaw.
The attack vector is network based (AV:N), meaning exploitation does not require local or physical access to the database server. The attack complexity is low (AC:L), indicating that no specialized conditions or race conditions are needed to trigger the vulnerability. Perhaps most critically, the vulnerability requires no privileges (PR:N) and no user interaction (UI:N). An attacker simply needs network connectivity to the Oracle Net listener to initiate the attack.
The scope remains unchanged (S:U), meaning the exploited component and the impacted component are the same: the Java VM. The confidentiality impact is rated high (C:H), which in CVSS terms means a total loss of confidentiality within the affected component. A successful exploit can result in unauthorized access to critical data or complete read access to all Java VM accessible data within the database. Notably, there is no impact on integrity (I:N) or availability (A:N), so this is purely a data disclosure vulnerability.
Attack Flow
Based on the available technical details, exploitation follows this general path:
- The attacker identifies an Oracle Database Server instance with the Oracle Net listener accessible over the network.
- The attacker sends crafted requests via the Oracle Net protocol targeting the Java VM component.
- No authentication credentials are required at any stage of the attack.
- Upon successful exploitation, the attacker gains unauthorized read access to data accessible by the Java VM, which may include critical or sensitive database contents.
The combination of network accessibility, low complexity, and zero authentication requirements makes this vulnerability exploitable at scale by any attacker who can reach the Oracle Net listener.
Affected Versions
The vulnerability impacts the following supported versions of Oracle Database Server:
- Versions 19.3 through 19.30
- Versions 21.3 through 21.21
Both of these are long term support release lines widely deployed in production enterprise environments.
Affected Systems and Versions
The following Oracle Database Server versions are confirmed vulnerable:
| Release Line | Affected Version Range |
|---|---|
| 19c | 19.3 through 19.30 |
| 21c | 21.3 through 21.21 |
Any deployment running these versions with the Java VM component enabled and Oracle Net accessible from untrusted networks is at risk. Organizations should verify whether Java VM is installed and active in their database instances, as it is an optional component in some configurations.
Vendor Security History
Oracle's April 2026 Critical Patch Update contained 481 new security patches across their product portfolio, with 8 patches specifically targeting Oracle Database Products. This volume reflects the breadth of Oracle's product surface and the ongoing effort required to maintain security across it.
Oracle has publicly acknowledged that they continue to receive reports of attackers successfully compromising systems where customers failed to apply available patches. This pattern of delayed patching leading to real world compromise is a recurring theme in Oracle's security advisories and reinforces the importance of treating Critical Patch Updates as a priority maintenance activity rather than a discretionary one.
