Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35229

CVE-2026-35229: Oracle Java VM Auth Bypass Vulnerability

CVE-2026-35229 is an authentication bypass vulnerability in Oracle Java Virtual Machine that allows unauthorized access to critical data. This article covers the technical details, affected versions, impact, and mitigation.

Updated:

CVE-2026-35229 Overview

CVE-2026-35229 is a high-severity vulnerability in the Java VM component of Oracle Database Server. The flaw affects supported versions 19.3-19.30 and 21.3-21.21. An unauthenticated attacker with network access via Oracle Net can exploit the issue to compromise the Java VM. Successful exploitation results in unauthorized access to critical data or complete access to all Java VM accessible data. The vulnerability maps to CWE-284: Improper Access Control.

Critical Impact

Remote unauthenticated attackers can read all data accessible to the Oracle Database Java VM, exposing sensitive database contents without requiring credentials or user interaction.

Affected Products

  • Oracle Database Server Java VM versions 19.3 through 19.30
  • Oracle Database Server Java VM versions 21.3 through 21.21
  • Deployments exposing Oracle Net listeners to untrusted networks

Discovery Timeline

  • 2026-04-21 - Oracle disclosed the vulnerability in the Oracle Security Alert April 2026
  • 2026-04-21 - CVE-2026-35229 published to NVD
  • 2026-05-05 - Last updated in NVD database

Technical Details for CVE-2026-35229

Vulnerability Analysis

The vulnerability resides in the Java VM component embedded within Oracle Database Server. The Java VM allows execution of Java code inside the database engine and provides access to database objects through its runtime. The flaw permits a remote unauthenticated actor connecting through Oracle Net to bypass access controls protecting Java VM resources. The CVSS vector indicates full confidentiality impact with no integrity or availability consequences, meaning the attack is read-oriented. The EPSS score sits at 0.05% with a 15.46 percentile, reflecting low observed exploitation activity at this time.

Root Cause

The root cause is improper access control [CWE-284] within the Java VM component. Authorization checks fail to restrict certain operations that expose Java VM accessible data to unauthenticated network callers. Oracle has not published implementation-level details beyond the advisory.

Attack Vector

The attack vector is network-based through Oracle Net, the protocol used by clients to communicate with the Oracle Database listener. Exploitation requires no privileges, no user interaction, and low attack complexity. An attacker who can reach the database listener over TCP can initiate the exploit path against the Java VM component.

No verified public proof-of-concept code is available. See the Oracle Security Alert April 2026 for vendor-supplied technical context.

Detection Methods for CVE-2026-35229

Indicators of Compromise

  • Unexpected Oracle Net connections from external or non-application source IP addresses targeting database listener ports such as 1521
  • Anomalous volumes of Java VM related queries or stored procedure invocations referencing DBMS_JAVA or SYS.JAVA$ objects
  • Listener log entries showing repeated connection attempts from unauthenticated sessions before successful Java VM activity

Detection Strategies

  • Audit Oracle Database listener logs (listener.log) and unified audit trail entries for unauthenticated or low-privilege sessions interacting with Java VM packages
  • Monitor for execution of Java stored procedures and class loading events outside known application baselines
  • Correlate network flow telemetry to identify Oracle Net traffic originating from unexpected network segments

Monitoring Recommendations

  • Enable Oracle unified auditing on JAVACLASS, JAVASOURCE, and JAVARESOURCE object types to capture Java VM access
  • Forward database audit logs and listener logs to a centralized analytics platform for retention and correlation
  • Establish behavioral baselines for application-to-database connections and alert on deviations involving Java VM features

How to Mitigate CVE-2026-35229

Immediate Actions Required

  • Apply the April 2026 Oracle Critical Patch Update to all affected Oracle Database Server instances
  • Inventory all 19.3-19.30 and 21.3-21.21 deployments to confirm patch coverage
  • Restrict network reachability to the Oracle Net listener using firewall rules and Oracle Net tcp.invited_nodes allow-lists

Patch Information

Oracle released fixes as part of the April 2026 Critical Patch Update. Administrators should review and apply the relevant patches documented in the Oracle Security Alert April 2026 advisory for both the 19c and 21c release lines.

Workarounds

  • Disable the Java VM component on database instances that do not require Java stored procedures, using rmjvm.sql where supported
  • Place database listeners behind network segmentation so only application servers can reach Oracle Net ports
  • Enforce Oracle Net valid node checking to limit inbound connections to known client addresses
bash
# Configuration example: restrict Oracle Net listener to known clients
# Add to sqlnet.ora on the database server
tcp.validnode_checking = yes
tcp.invited_nodes = (10.0.10.5, 10.0.10.6, 10.0.10.7)
tcp.excluded_nodes = (0.0.0.0/0)

# Reload the listener after changes
lsnrctl reload

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.