This vulnerability affects the Net Service component of Oracle Database Server versions 23.4.0 to 23.26.2. It can be exploited remotely by unauthenticated attackers over TLS to cause a denial of service by hanging or crashing the Net Service, impacting availability. The CVSS 3.1 score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Oracle has addressed this issue in its May 2026 Critical Security Patch Update, which includes 35 security patches across multiple products. The vendor strongly recommends applying these patches immediately. Workarounds such as blocking network protocols or removing unnecessary privileges may reduce risk temporarily but do not fix the underlying issue. Oracle advises customers to remain on supported versions and keep patches up to date.

Successful exploitation results in a complete denial of service (hang or repeated crash) of the Net Service component in Oracle Database Server, affecting availability. There is no impact on confidentiality or integrity. The vulnerability can be exploited remotely without authentication via network access over TLS.

Oracle has released a security patch for this vulnerability as part of the May 2026 Critical Security Patch Update. Customers should apply the patch promptly to remediate the issue. Until the patch is applied, risk may be reduced by blocking network protocols required for exploitation or removing unnecessary privileges from users, but these are not permanent solutions and may disrupt functionality. Oracle strongly recommends testing any such mitigations in non-production environments. Staying on actively supported versions and applying security patches without delay is advised.