Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-21975

CVE-2026-21975: Oracle Java Virtual Machine DOS Vulnerability

CVE-2026-21975 is a denial of service vulnerability in Oracle Java Virtual Machine affecting versions 19.3-19.29 and 21.3-21.20. Attackers can cause system crashes with high privileges. This article covers technical details, impact analysis, and mitigation strategies.

Updated:

CVE-2026-21975 Overview

CVE-2026-21975 is a denial-of-service vulnerability in the Java VM component of Oracle Database Server. Affected versions include Oracle Database 19.3 through 19.29 and 21.3 through 21.20. An authenticated attacker with high privileges and network access through Oracle Net can trigger a hang or repeatable crash of the Java VM. Successful exploitation requires interaction from a user other than the attacker. The flaw is tracked under CWE-404: Improper Resource Shutdown or Release.

Critical Impact

Successful exploitation causes a complete denial of service of the Oracle Database Java VM, disrupting database-resident Java workloads and dependent applications.

Affected Products

  • Oracle Database Server, Java VM component, versions 19.3 through 19.29
  • Oracle Database Server, Java VM component, versions 21.3 through 21.20
  • Oracle Java Virtual Machine as packaged within the affected Oracle Database Server releases

Discovery Timeline

  • 2026-01-20 - CVE-2026-21975 published to NVD
  • 2026-01-20 - Oracle Critical Patch Update January 2026 released
  • 2026-01-29 - Last updated in NVD database

Technical Details for CVE-2026-21975

Vulnerability Analysis

The vulnerability resides in the Java VM component embedded within Oracle Database Server. An authenticated user can submit a crafted request over Oracle Net that the Java VM fails to handle correctly. The condition results in a hang or a repeatable crash of the Java VM process.

Exploitation requires the attacker to hold high database privileges and to coerce another user into performing an action. Confidentiality and integrity remain intact, but availability of the Java VM is fully compromised. Database-resident Java stored procedures, triggers, and Java-based application logic become unavailable during exploitation.

Root Cause

The underlying weakness is classified as CWE-404, Improper Resource Shutdown or Release. The Java VM does not correctly release or reset resources when processing the malicious input, leading to a fault state from which the component cannot recover without restart.

Attack Vector

The attack vector is network-based through Oracle Net. The attacker authenticates with high-privilege credentials, then crafts a request that triggers the resource-handling defect. A second user must interact with the attacker-controlled vector for the exploit to complete. Oracle has not released technical details of the exploitation primitive, and no public proof of concept is available. See the Oracle Critical Patch Update - January 2026 for vendor guidance.

Detection Methods for CVE-2026-21975

Indicators of Compromise

  • Repeated Java VM crashes or hangs recorded in Oracle Database alert logs and trace files under $ORACLE_BASE/diag/rdbms/
  • Unexpected ORA-29532, ORA-29516, or other Java VM runtime errors correlated with sessions from high-privilege accounts
  • Spikes in Oracle Net session activity from authenticated users immediately preceding Java VM failures

Detection Strategies

  • Monitor Oracle audit trails for unusual Java stored procedure invocations executed by privileged accounts such as SYS, SYSTEM, or users granted JAVAUSERPRIV and JAVASYSPRIV
  • Correlate database listener logs with Java VM process restarts to identify exploitation attempts
  • Baseline normal Java VM CPU and memory usage and alert on anomalous resource exhaustion patterns

Monitoring Recommendations

  • Enable unified auditing for DBMS_JAVA and DBMS_JAVA_TEST package usage
  • Forward Oracle alert logs and listener logs to a centralized SIEM for cross-session correlation
  • Track privilege grants for JAVA_ADMIN roles and review them against an approved baseline

How to Mitigate CVE-2026-21975

Immediate Actions Required

  • Apply the Oracle Critical Patch Update from January 2026 to all affected Database Server installations
  • Inventory all Oracle Database 19.x and 21.x instances and confirm patch level before exposing them to networks with untrusted authenticated users
  • Restrict and audit accounts holding JAVAUSERPRIV, JAVASYSPRIV, and JAVADEBUGPRIV privileges

Patch Information

Oracle addressed CVE-2026-21975 in the January 2026 Critical Patch Update. Administrators should download and apply the relevant Release Update or Patch Set Update for Oracle Database 19c and 21c. Refer to the Oracle Critical Patch Update Advisory - January 2026 for the patch matrix and download links.

Workarounds

  • Revoke unnecessary Java execution privileges from non-administrative accounts until patching is complete
  • Limit network access to the database listener using Oracle Net access control lists (sqlnet.oratcp.invited_nodes) to trusted hosts
  • Disable the Java VM component in databases that do not require Java functionality, following Oracle's documented removal procedure
bash
# Configuration example: restrict listener access via sqlnet.ora
tcp.validnode_checking = yes
tcp.invited_nodes = (10.0.0.10, 10.0.0.11, app-server-01)
# Reload the listener after editing
lsnrctl reload

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.