{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35229", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2026-04-01T20:03:40.833Z", "datePublished": "2026-04-21T20:35:43.259Z", "dateUpdated": "2026-04-21T20:35:43.259Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-04-21T20:35:43.259Z"}, "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Java VM. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java VM accessible data."}]}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle Database Server", "versions": [{"version": "19.3", "status": "affected", "lessThanOrEqual": "19.30", "versionType": "custom"}, {"version": "21.3", "status": "affected", "lessThanOrEqual": "21.21", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:database_-_java_vm:*:*:*:*:*:*:*:*", "versionStartIncluding": "19.3", "versionEndIncluding": "19.30"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:database_-_java_vm:*:*:*:*:*:*:*:*", "versionStartIncluding": "21.3", "versionEndIncluding": "21.21"}]}]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.30 and 21.3-21.21. Easily exploitable vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Java VM. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java VM accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)."}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuapr2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.30 and 21.3-21.21. Easily exploitable vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Java VM. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java VM accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)."}], "id": "CVE-2026-35229", "lastModified": "2026-04-21T21:16:38.440", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "secalert_us@oracle.com", "type": "Primary"}]}, "published": "2026-04-21T21:16:38.440", "references": [{"source": "secalert_us@oracle.com", "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "database_-_java_vm", "vendor": "oracle"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[19.3,19.30]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[21.3,21.21]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Oracle Database Server", "source": "cna", "vendor": "Oracle Corporation"}, "product": "database_server", "vendor": "oracle"}], "analysis": {"en": {"generated_at": "2026-04-22T04:49:12.808373+00:00", "value": {"mitigation_remediation": ["Apply any available Oracle patches for the Java VM component in versions 19.3\u201119.30 and 21.3\u201121.21 as soon as they are released.", "Restrict Oracle Net access to trusted hosts only using firewall or ACL rules to reduce unauthenticated network reach.", "If the Java VM functionality is not required, disable or remove it from the database instance to eliminate the attack surface.", "Continuously monitor database and network logs for anomalous Oracle Net connections or unexpected Java VM activity and investigate promptly."], "summary": {"action": "Assess Impact", "impact": "Confidentiality Breach via Unauthorized Data Access"}, "threat_synthesis": {"affected_systems": "Oracle Corporation\u2019s Oracle Database Server is affected. Versions 19c from 19.3 through 19.30 and 21c from 21.3 through 21.21 contain the vulnerable Java VM component.", "description_and_impact": "The vulnerability lies in the Java VM component of Oracle Database Server. An attacker who can reach the server over Oracle Net, without authentication, can exploit the weakness to compromise the Java VM. Successful attacks can provide unauthorized access to critical data stored in the database or to any data that the Java VM can retrieve, resulting in a significant breach of confidentiality.", "risk_and_exploitability": "The CVSS 3.1 base score of 7.5 highlights a high confidentiality impact. The attack vector is network-based via Oracle Net, requires no authentication, and an attacker can launch the exploit with low effort. The EPSS score is not available and the vulnerability is not listed in CISA\u2019s KEV catalog, but the public documentation of the issue indicates that it can be exploited in the wild. Organizations should treat it as a significant risk until a patch is applied."}}}}, "created": "2026-04-22T05:00:09.515649+00:00", "title": "Java VM Component Vulnerability Allows Unauthenticated Access to Database Data via Oracle Net", "updated": "2026-04-22T06:45:10.634221+00:00", "vendors": ["oracle", "oracle$PRODUCT$database_-_java_vm", "oracle$PRODUCT$database_server"]}