CVE-2026-21975 Overview
CVE-2026-21975 is a denial-of-service vulnerability in the Java VM component of Oracle Database Server. Affected versions include Oracle Database 19.3 through 19.29 and 21.3 through 21.20. An authenticated attacker with high privileges and network access through Oracle Net can trigger a hang or repeatable crash of the Java VM. Successful exploitation requires interaction from a user other than the attacker. The flaw is tracked under CWE-404: Improper Resource Shutdown or Release.
Critical Impact
Successful exploitation causes a complete denial of service of the Oracle Database Java VM, disrupting database-resident Java workloads and dependent applications.
Affected Products
- Oracle Database Server, Java VM component, versions 19.3 through 19.29
- Oracle Database Server, Java VM component, versions 21.3 through 21.20
- Oracle Java Virtual Machine as packaged within the affected Oracle Database Server releases
Discovery Timeline
- 2026-01-20 - CVE-2026-21975 published to NVD
- 2026-01-20 - Oracle Critical Patch Update January 2026 released
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2026-21975
Vulnerability Analysis
The vulnerability resides in the Java VM component embedded within Oracle Database Server. An authenticated user can submit a crafted request over Oracle Net that the Java VM fails to handle correctly. The condition results in a hang or a repeatable crash of the Java VM process.
Exploitation requires the attacker to hold high database privileges and to coerce another user into performing an action. Confidentiality and integrity remain intact, but availability of the Java VM is fully compromised. Database-resident Java stored procedures, triggers, and Java-based application logic become unavailable during exploitation.
Root Cause
The underlying weakness is classified as CWE-404, Improper Resource Shutdown or Release. The Java VM does not correctly release or reset resources when processing the malicious input, leading to a fault state from which the component cannot recover without restart.
Attack Vector
The attack vector is network-based through Oracle Net. The attacker authenticates with high-privilege credentials, then crafts a request that triggers the resource-handling defect. A second user must interact with the attacker-controlled vector for the exploit to complete. Oracle has not released technical details of the exploitation primitive, and no public proof of concept is available. See the Oracle Critical Patch Update - January 2026 for vendor guidance.
Detection Methods for CVE-2026-21975
Indicators of Compromise
- Repeated Java VM crashes or hangs recorded in Oracle Database alert logs and trace files under $ORACLE_BASE/diag/rdbms/
- Unexpected ORA-29532, ORA-29516, or other Java VM runtime errors correlated with sessions from high-privilege accounts
- Spikes in Oracle Net session activity from authenticated users immediately preceding Java VM failures
Detection Strategies
- Monitor Oracle audit trails for unusual Java stored procedure invocations executed by privileged accounts such as SYS, SYSTEM, or users granted JAVAUSERPRIV and JAVASYSPRIV
- Correlate database listener logs with Java VM process restarts to identify exploitation attempts
- Baseline normal Java VM CPU and memory usage and alert on anomalous resource exhaustion patterns
Monitoring Recommendations
- Enable unified auditing for DBMS_JAVA and DBMS_JAVA_TEST package usage
- Forward Oracle alert logs and listener logs to a centralized SIEM for cross-session correlation
- Track privilege grants for JAVA_ADMIN roles and review them against an approved baseline
How to Mitigate CVE-2026-21975
Immediate Actions Required
- Apply the Oracle Critical Patch Update from January 2026 to all affected Database Server installations
- Inventory all Oracle Database 19.x and 21.x instances and confirm patch level before exposing them to networks with untrusted authenticated users
- Restrict and audit accounts holding JAVAUSERPRIV, JAVASYSPRIV, and JAVADEBUGPRIV privileges
Patch Information
Oracle addressed CVE-2026-21975 in the January 2026 Critical Patch Update. Administrators should download and apply the relevant Release Update or Patch Set Update for Oracle Database 19c and 21c. Refer to the Oracle Critical Patch Update Advisory - January 2026 for the patch matrix and download links.
Workarounds
- Revoke unnecessary Java execution privileges from non-administrative accounts until patching is complete
- Limit network access to the database listener using Oracle Net access control lists (sqlnet.oratcp.invited_nodes) to trusted hosts
- Disable the Java VM component in databases that do not require Java functionality, following Oracle's documented removal procedure
# Configuration example: restrict listener access via sqlnet.ora
tcp.validnode_checking = yes
tcp.invited_nodes = (10.0.0.10, 10.0.0.11, app-server-01)
# Reload the listener after editing
lsnrctl reload
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

