CVE-2026-46835 affects the Net Service component of Oracle Database Server versions 23.4.0 to 23.26.2. The vulnerability enables an unauthenticated attacker with network access over TLS to cause the Net Service to hang or crash repeatedly, leading to a complete denial of service. The CVSS 3.1 score of 7.5 indicates a high impact on availability with no confidentiality or integrity impact. Oracle has addressed this vulnerability in its May 2026 Critical Security Patch Update, which includes 35 new security patches across multiple products. The vendor strongly recommends applying these patches immediately. Workarounds such as blocking network protocols or removing unnecessary privileges may reduce risk temporarily but do not fix the underlying issue. Oracle's advisory emphasizes the importance of patching and staying on supported product versions.

Successful exploitation of this vulnerability results in a denial of service condition by causing the Oracle Net Service to hang or crash repeatedly. This disrupts availability of the Oracle Database Server component but does not impact confidentiality or integrity of data. The vulnerability can be exploited remotely by unauthenticated attackers with network access via TLS, increasing the risk of widespread disruption if unpatched.

Oracle has released a security patch for this vulnerability as part of the May 2026 Critical Security Patch Update. Customers should apply this patch promptly to remediate the issue. Until the patch is applied, risk may be reduced by blocking network protocols required for the attack or by removing unnecessary privileges from users, but these are not long-term solutions and may impact functionality. Oracle strongly recommends testing any such changes in non-production environments. Staying on actively supported versions and applying all security patches without delay is advised.