This vulnerability affects the Java VM component within Oracle Database Server versions 19.3 to 19.30 and 21.3 to 21.21. It can be exploited remotely by an unauthenticated attacker with network access through Oracle Net, allowing compromise of the Java VM. The impact is unauthorized access to critical data or complete access to all data accessible by the Java VM. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) indicates network attack vector, low attack complexity, no privileges or user interaction required, unchanged scope, and high confidentiality impact with no integrity or availability impact. The vulnerability is categorized under CWE-284 (Improper Access Control). Oracle's April 2026 Critical Patch Update advisory references this and many other vulnerabilities but does not explicitly state patch availability or remediation details for this CVE in the provided content.

Successful exploitation allows an unauthenticated remote attacker to gain unauthorized access to critical or all data accessible by the Java VM component of affected Oracle Database Server versions. This compromises confidentiality but does not affect integrity or availability. There are no known exploits in the wild at this time.

Oracle's April 2026 Critical Patch Update advisory strongly recommends applying the latest patches promptly to address vulnerabilities including this one. However, the provided advisory content does not explicitly confirm the availability of a specific patch or fix for CVE-2026-35229. Therefore, patch status is not yet confirmed—check the Oracle advisory at https://www.oracle.com/security-alerts/cpuapr2026.html for current remediation guidance. Customers should remain on actively supported versions and apply Critical Patch Updates without delay once patches are available.