CVE-2026-21926
Published: 20 January 2026
Summary
CVE-2026-21926 is a high-severity an unspecified weakness vulnerability in Oracle Siebel Customer Relationship Management Deployment. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 21.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-21926 is a vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM, specifically affecting the Server Infrastructure component. Supported versions impacted by this issue range from 17.0 to 25.2. The vulnerability enables an easily exploitable condition that allows attackers to compromise the Siebel CRM Deployment server.
An unauthenticated attacker with network access via TLS can exploit this vulnerability. Successful exploitation results in the unauthorized ability to cause a hang or frequently repeatable crash, leading to a complete denial of service (DoS) on the Siebel CRM Deployment. The CVSS 3.1 base score is 7.5 (vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), with high impact on availability and no impacts on confidentiality or integrity.
For mitigation details, refer to the Oracle Critical Patch Update advisory at https://www.oracle.com/security-alerts/cpujan2026.html, published on January 20, 2026.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3583
Vulnerability details
Vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM (component: Server Infrastructure). Supported versions that are affected are 17.0-25.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Siebel CRM Deployment. Successful attacks of…
more
this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Siebel CRM Deployment. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct mapping to application exploitation causing endpoint DoS via unauthenticated network crash/hang.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the specific vulnerability in Siebel CRM Deployment Server Infrastructure, eliminating the root cause of the DoS crash or hang.
Implements denial-of-service protections tailored to prevent the unauthenticated network-based hang or crash impacting availability of the Siebel CRM Deployment.
Enforces boundary protection to monitor and control network access via TLS, limiting exposure of the vulnerable Server Infrastructure to unauthenticated attackers.