This vulnerability affects the Net Service component of Oracle Database Server versions 23.4.0 to 23.26.2. It is exploitable remotely by an unauthenticated attacker over a network via TLS, though exploitation is considered difficult. Successful exploitation can lead to complete compromise of the Net Service, with a scope change potentially impacting additional Oracle products. The vulnerability is rated critical with a CVSS 3.1 score of 9.0, reflecting high confidentiality, integrity, and availability impacts. Oracle has released patches for this vulnerability as part of the May 2026 Critical Security Patch Update. The vendor strongly recommends applying these patches immediately and maintaining supported product versions. Temporary mitigations such as blocking network protocols or removing unnecessary privileges may reduce risk but do not fix the underlying issue.

Successful exploitation of CVE-2026-46833 can result in takeover of the Net Service component within Oracle Database Server, impacting confidentiality, integrity, and availability of the affected system. The vulnerability also has a scope change, meaning that additional Oracle products relying on Net Service may be significantly impacted. The CVSS 3.1 score of 9.0 reflects critical severity. No known exploits in the wild have been reported so far.

Oracle has released security patches addressing this vulnerability in the May 2026 Critical Security Patch Update. Customers should apply these patches as soon as possible to remediate the vulnerability. Until patches are applied, risk may be partially mitigated by blocking network protocols required for exploitation or by removing unnecessary privileges from users, but these are not substitutes for patching and may disrupt application functionality. Oracle strongly recommends testing any such mitigations in non-production environments. Maintaining supported product versions and timely patch application is critical.