Cyber Resilience

CVE-2026-21926

High

Published: 20 January 2026

Published
20 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0007 21.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21926 is a high-severity an unspecified weakness vulnerability in Oracle Siebel Customer Relationship Management Deployment. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 21.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-21926 is a vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM, specifically affecting the Server Infrastructure component. Supported versions impacted by this issue range from 17.0 to 25.2. The vulnerability enables an easily exploitable condition that allows attackers to compromise the Siebel CRM Deployment server.

An unauthenticated attacker with network access via TLS can exploit this vulnerability. Successful exploitation results in the unauthorized ability to cause a hang or frequently repeatable crash, leading to a complete denial of service (DoS) on the Siebel CRM Deployment. The CVSS 3.1 base score is 7.5 (vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), with high impact on availability and no impacts on confidentiality or integrity.

For mitigation details, refer to the Oracle Critical Patch Update advisory at https://www.oracle.com/security-alerts/cpujan2026.html, published on January 20, 2026.

EU & UK References

Vulnerability details

Vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM (component: Server Infrastructure). Supported versions that are affected are 17.0-25.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Siebel CRM Deployment. Successful attacks of…

more

this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Siebel CRM Deployment. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Direct mapping to application exploitation causing endpoint DoS via unauthenticated network crash/hang.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-35245Same vendor: Oracle
CVE-2026-21945Same vendor: Oracle
CVE-2025-21521Same vendor: Oracle
CVE-2026-34282Same vendor: Oracle
CVE-2026-34290Same vendor: Oracle
CVE-2026-21986Same vendor: Oracle
CVE-2025-21549Same vendor: Oracle
CVE-2026-46835Same vendor: Oracle
CVE-2026-46829Same vendor: Oracle
CVE-2026-46834Same vendor: Oracle

Affected Assets

oracle
siebel customer relationship management deployment
17.0 — 25.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the specific vulnerability in Siebel CRM Deployment Server Infrastructure, eliminating the root cause of the DoS crash or hang.

prevent

Implements denial-of-service protections tailored to prevent the unauthenticated network-based hang or crash impacting availability of the Siebel CRM Deployment.

prevent

Enforces boundary protection to monitor and control network access via TLS, limiting exposure of the vulnerable Server Infrastructure to unauthenticated attackers.

References