ZeroPath at Black Hat USA 2026

Oracle Database Net Service CVE-2026-46834: Brief Summary of Unauthenticated TLS Denial of Service

A brief summary of CVE-2026-46834, a CVSS 7.5 denial of service vulnerability in Oracle Database Net Service that allows unauthenticated attackers to crash or hang the service via TLS, affecting all Oracle Database 23ai versions from 23.4.0 through 23.26.2.

CVE Analysis

8 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-28

Oracle Database Net Service CVE-2026-46834: Brief Summary of Unauthenticated TLS Denial of Service
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An unauthenticated attacker who can reach an Oracle Database TLS listener can now cause a complete hang or repeatable crash of the Net Service component, disrupting all database connectivity for affected deployments. With Oracle Database powering over 37,000 enterprise customers globally and the affected version range spanning the entire 23ai release family, this vulnerability has meaningful operational implications for organizations that depend on Oracle for critical workloads.

Technical Information

CVE-2026-46834 resides in the Net Service component of Oracle Database Server. Net Service is Oracle's networking infrastructure responsible for managing all client to server communication, including connections encrypted with TLS. The vulnerability allows an unauthenticated attacker with network access via TLS to cause a hang or frequently repeatable crash of Net Service, resulting in a complete denial of service.

CVSS 3.1 Vector Analysis

The vulnerability scores 7.5 on CVSS 3.1 with the vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H):

MetricValueMeaning
Attack VectorNetworkExploitable remotely
Attack ComplexityLowNo specialized conditions required
Privileges RequiredNoneNo authentication needed
User InteractionNoneNo user action required
ScopeUnchangedImpact confined to Net Service
ConfidentialityNoneNo data disclosure
IntegrityNoneNo data modification
AvailabilityHighComplete denial of service

The combination of network attack vector, low complexity, and zero authentication requirements makes this vulnerability straightforward to reach. Any attacker who can establish a TLS connection to the Oracle Database listener port (typically 1521 or a configured TLS port) can potentially trigger the denial of service condition.

Attack Surface: TLS as the Entry Point

The attack is delivered via TLS, meaning it targets the encrypted communication channel used by Oracle Net Service. This has a notable defensive implication: traditional network security controls such as deep packet inspection cannot inspect the contents of TLS encrypted traffic, limiting the ability of network based defenses to detect or block exploitation attempts. The attacker needs only network level access and the ability to initiate a TLS handshake with the listener.

Root Cause and Technical Mechanism

The specific technical mechanism by which the denial of service is triggered has not been publicly disclosed. Oracle does not publish vulnerability details that could assist attackers, and the NVD record is currently marked as "Awaiting Enrichment" with no CWE ID assigned and no CVSS 4.0 assessment available. Whether the flaw involves resource exhaustion, a protocol parsing error, a malformed TLS handshake, or another vector remains unknown at this time.

The Companion Vulnerability: CVE-2026-46833

Understanding CVE-2026-46834 in isolation misses a critical piece of the picture. The May 2026 CSPU also addresses CVE-2026-46833, which targets the exact same component (Net Service), the exact same protocol (TLS), and the exact same version range (23.4.0 through 23.26.2). However, CVE-2026-46833 carries a CVSS 3.1 score of 9.0 with high confidentiality, integrity, and availability impacts, meaning it could enable full database compromise rather than just service disruption.

CVE IDComponentProtocolCVSS 3.1Impact
CVE-2026-46833Net ServiceTLS9.0High C/I/A
CVE-2026-46834Net ServiceTLS7.5High A only

CVE-2026-46833 was reported by HexRabbit of the DEVCORE Research Team. The two vulnerabilities together present a layered threat through the same network path: CVE-2026-46834 enables reliable service disruption while CVE-2026-46833 could enable data exfiltration and corruption. Patching only one while leaving the other unaddressed still leaves significant exposure. The Oracle CSPU addresses both in a single patch bundle.

Oracle's New Monthly Patch Cadence

This vulnerability was disclosed as part of Oracle's first monthly Critical Security Patch Update (CSPU), replacing the previous quarterly Critical Patch Update cycle. The May 2026 CSPU addresses 35 new security patches across multiple product families. For context, the April 2026 CPU (the last quarterly release) contained 8 new security patches for Oracle Database Products, with 4 remotely exploitable without authentication. Organizations must now adapt their patch management processes to this accelerated monthly cadence.

Affected Systems and Versions

The vulnerability affects Oracle Database Server versions 23.4.0 through 23.26.2. This encompasses the entire Oracle Database 23ai (23c) release family.

Oracle Database 19c, which remains under Long Term Support, is not listed in the affected version range.

The vulnerability specifically targets the Net Service component when TLS encrypted connections are in use. Deployments that do not expose TLS enabled Net Service listeners to untrusted networks have a reduced (but not eliminated) attack surface.

Vendor Security History

Oracle's security track record has faced significant scrutiny in recent years. In Q1 2025, a threat actor known as "rose87168" posted approximately 6 million data records for sale on BreachForums, claiming access to Oracle's traditional servers. Investigation by CybelAngel revealed that an attacker had installed a webshell and additional malware on Oracle's Gen 1 servers (Oracle Cloud Classic) as early as January 2025, stealing data from the Oracle Identity Manager database for approximately two months. CloudSEK identified the compromised credential data as belonging to more than 140,000 Oracle cloud tenants.

Oracle confirmed that a hacker accessed two outdated servers described as "never part of OCI," but cybersecurity expert Kevin Beaumont criticized this response as a "play on words," noting that the affected Oracle Classic services are still Oracle managed cloud services. Separately, up to 80 hospitals may have been affected by the Oracle Health data breach, with at least 14,485 individuals confirmed impacted.

This breach history is relevant because it demonstrates that Oracle infrastructure is actively targeted by threat actors, and that Oracle's disclosure practices have drawn criticism for minimizing the scope of security incidents. The pattern reinforces the importance of prompt patching rather than relying on workarounds or delayed responses.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization