This vulnerability affects the Java VM component within Oracle Database Server versions 19.3-19.30 and 21.3-21.21. It is exploitable remotely by unauthenticated attackers via Oracle Net, allowing compromise of the Java VM and unauthorized access to sensitive data. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) indicates network attack vector, low attack complexity, no privileges or user interaction required, and high confidentiality impact with no integrity or availability impact. The vulnerability is included in Oracle's April 2026 Critical Patch Update, which addresses 481 security issues across Oracle products. The advisory strongly recommends applying the update promptly to mitigate this and other vulnerabilities. Specific patch details for this CVE should be verified in the official Oracle patch documentation linked in the advisory.

Successful exploitation can lead to unauthorized access to critical or all data accessible by the Java VM within the affected Oracle Database Server versions. This compromises confidentiality but does not affect integrity or availability according to the CVSS vector. The vulnerability is remotely exploitable without authentication, increasing its risk profile. There are no known exploits in the wild at the time of publication.

Oracle has released the April 2026 Critical Patch Update which includes patches addressing this vulnerability among others. Customers are strongly advised to apply this update without delay to remediate the issue. Since the advisory does not explicitly state the patch status for this specific CVE, users should consult the Oracle advisory at https://www.oracle.com/security-alerts/cpuapr2026.html for detailed patch availability and installation instructions. No alternative mitigations or workarounds are provided in the advisory.