SB2026042193 - Multiple vulnerabilities in Oracle Database Server

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026042193

SB2026042193 - Multiple vulnerabilities in Oracle Database Server

Published: April 21, 2026

Security Bulletin ID SB2026042193
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 75% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2026-34312)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote privileged user to gain access to sensitive information.

The vulnerability exists due to improper input validation within the RDBMS in Oracle Database Server. A remote privileged user can exploit this vulnerability to gain access to sensitive information.


2) Uncontrolled Recursion (CVE-ID: CVE-2025-48924)

CWE-ID: CWE-674 - Uncontrolled Recursion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. A remote attacker can trigger uncontrolled recursion and perform a denial of service (DoS) attack.


3) Input validation error (CVE-ID: CVE-2025-31948)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A local user can pass specially crafted input to the application and perform a denial of service (DoS) attack.


4) Improper input validation (CVE-ID: CVE-2026-21999)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the XML Database in Oracle Database Server. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


5) Insufficient verification of data authenticity (CVE-ID: CVE-2026-26007)

CWE-ID: CWE-345 - Insufficient Verification of Data Authenticity

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_key() functions do not verify that the point belongs to the expected prime-order subgroup of the curve. A remote attacker can provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as S = [victim_private_key]P via ECDH, this leaks information about victim_private_key mod (small_subgroup_order). For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup.


6) Unchecked Return Value (CVE-ID: CVE-2026-31790)

CWE-ID: CWE-252 - Unchecked Return Value

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to incorrect failure handling in RSA KEM RSASVE encapsulation when processing an attacker-supplied invalid RSA public key with EVP_PKEY_encapsulate(). A remote attacker can supply an invalid RSA public key to disclose sensitive information.

The issue affects applications using RSA/RSASVE encapsulation without validating the supplied public key first.


7) Improper input validation (CVE-ID: CVE-2026-35229)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Java VM in Oracle Database Server. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


8) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-33870)

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Green


The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests within chunked transfer encoding extension values. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.


Remediation

Install update from vendor's website.

References