Introduction
An unauthenticated attacker who can reach an Oracle Database TLS listener can now cause a complete hang or repeatable crash of the Net Service component, disrupting all database connectivity for affected deployments. With Oracle Database powering over 37,000 enterprise customers globally and the affected version range spanning the entire 23ai release family, this vulnerability has meaningful operational implications for organizations that depend on Oracle for critical workloads.
Technical Information
CVE-2026-46834 resides in the Net Service component of Oracle Database Server. Net Service is Oracle's networking infrastructure responsible for managing all client to server communication, including connections encrypted with TLS. The vulnerability allows an unauthenticated attacker with network access via TLS to cause a hang or frequently repeatable crash of Net Service, resulting in a complete denial of service.
CVSS 3.1 Vector Analysis
The vulnerability scores 7.5 on CVSS 3.1 with the vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H):
| Metric | Value | Meaning |
|---|---|---|
| Attack Vector | Network | Exploitable remotely |
| Attack Complexity | Low | No specialized conditions required |
| Privileges Required | None | No authentication needed |
| User Interaction | None | No user action required |
| Scope | Unchanged | Impact confined to Net Service |
| Confidentiality | None | No data disclosure |
| Integrity | None | No data modification |
| Availability | High | Complete denial of service |
The combination of network attack vector, low complexity, and zero authentication requirements makes this vulnerability straightforward to reach. Any attacker who can establish a TLS connection to the Oracle Database listener port (typically 1521 or a configured TLS port) can potentially trigger the denial of service condition.
Attack Surface: TLS as the Entry Point
The attack is delivered via TLS, meaning it targets the encrypted communication channel used by Oracle Net Service. This has a notable defensive implication: traditional network security controls such as deep packet inspection cannot inspect the contents of TLS encrypted traffic, limiting the ability of network based defenses to detect or block exploitation attempts. The attacker needs only network level access and the ability to initiate a TLS handshake with the listener.
Root Cause and Technical Mechanism
The specific technical mechanism by which the denial of service is triggered has not been publicly disclosed. Oracle does not publish vulnerability details that could assist attackers, and the NVD record is currently marked as "Awaiting Enrichment" with no CWE ID assigned and no CVSS 4.0 assessment available. Whether the flaw involves resource exhaustion, a protocol parsing error, a malformed TLS handshake, or another vector remains unknown at this time.
The Companion Vulnerability: CVE-2026-46833
Understanding CVE-2026-46834 in isolation misses a critical piece of the picture. The May 2026 CSPU also addresses CVE-2026-46833, which targets the exact same component (Net Service), the exact same protocol (TLS), and the exact same version range (23.4.0 through 23.26.2). However, CVE-2026-46833 carries a CVSS 3.1 score of 9.0 with high confidentiality, integrity, and availability impacts, meaning it could enable full database compromise rather than just service disruption.
| CVE ID | Component | Protocol | CVSS 3.1 | Impact |
|---|---|---|---|---|
| CVE-2026-46833 | Net Service | TLS | 9.0 | High C/I/A |
| CVE-2026-46834 | Net Service | TLS | 7.5 | High A only |
CVE-2026-46833 was reported by HexRabbit of the DEVCORE Research Team. The two vulnerabilities together present a layered threat through the same network path: CVE-2026-46834 enables reliable service disruption while CVE-2026-46833 could enable data exfiltration and corruption. Patching only one while leaving the other unaddressed still leaves significant exposure. The Oracle CSPU addresses both in a single patch bundle.
Oracle's New Monthly Patch Cadence
This vulnerability was disclosed as part of Oracle's first monthly Critical Security Patch Update (CSPU), replacing the previous quarterly Critical Patch Update cycle. The May 2026 CSPU addresses 35 new security patches across multiple product families. For context, the April 2026 CPU (the last quarterly release) contained 8 new security patches for Oracle Database Products, with 4 remotely exploitable without authentication. Organizations must now adapt their patch management processes to this accelerated monthly cadence.
Affected Systems and Versions
The vulnerability affects Oracle Database Server versions 23.4.0 through 23.26.2. This encompasses the entire Oracle Database 23ai (23c) release family.
Oracle Database 19c, which remains under Long Term Support, is not listed in the affected version range.
The vulnerability specifically targets the Net Service component when TLS encrypted connections are in use. Deployments that do not expose TLS enabled Net Service listeners to untrusted networks have a reduced (but not eliminated) attack surface.
Vendor Security History
Oracle's security track record has faced significant scrutiny in recent years. In Q1 2025, a threat actor known as "rose87168" posted approximately 6 million data records for sale on BreachForums, claiming access to Oracle's traditional servers. Investigation by CybelAngel revealed that an attacker had installed a webshell and additional malware on Oracle's Gen 1 servers (Oracle Cloud Classic) as early as January 2025, stealing data from the Oracle Identity Manager database for approximately two months. CloudSEK identified the compromised credential data as belonging to more than 140,000 Oracle cloud tenants.
Oracle confirmed that a hacker accessed two outdated servers described as "never part of OCI," but cybersecurity expert Kevin Beaumont criticized this response as a "play on words," noting that the affected Oracle Classic services are still Oracle managed cloud services. Separately, up to 80 hospitals may have been affected by the Oracle Health data breach, with at least 14,485 individuals confirmed impacted.
This breach history is relevant because it demonstrates that Oracle infrastructure is actively targeted by threat actors, and that Oracle's disclosure practices have drawn criticism for minimizing the scope of security incidents. The pattern reinforces the importance of prompt patching rather than relying on workarounds or delayed responses.
References
- NVD Entry for CVE-2026-46834
- Oracle Security Critical Patch Update Advisory, May 2026
- Oracle Critical Patch Updates and Security Alerts
- Oracle Critical Patch Update Advisory, April 2026
- Oracle Critical Patch Update Advisory, January 2026
- CISA Known Exploited Vulnerabilities Catalog
- January 2026 CVE Landscape: 23 Critical Vulnerabilities, Recorded Future
- Oracle confirms data breach via outdated servers, Techzine
- Oracle Appears to Admit Breach of 2 'Obsolete' Servers, Dark Reading
- 80 Hospitals May Have Been Affected by the Oracle Health Data Breach, HIPAA Journal
- Enterprise Database Market Research Report 2034, Dataintelo
- Best Relational Databases Software in 2026, 6sense
- Oracle Corporation Company Profile, IBISWorld



