CVE-2026-21926

High

Published: 20 January 2026

Published

20 January 2026

Modified

29 January 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0005 16.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21926 is a high-severity an unspecified weakness vulnerability in Oracle Siebel Customer Relationship Management Deployment. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 16.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Direct mapping to application exploitation causing endpoint DoS via unauthenticated network crash/hang.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM (component: Server Infrastructure). Supported versions that are affected are 17.0-25.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Siebel CRM Deployment. Successful attacks of…

this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Siebel CRM Deployment. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Deeper analysisAI

CVE-2026-21926 is a vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM, specifically affecting the Server Infrastructure component. Supported versions impacted by this issue range from 17.0 to 25.2. The vulnerability enables an easily exploitable condition that allows attackers to compromise the Siebel CRM Deployment server.

An unauthenticated attacker with network access via TLS can exploit this vulnerability. Successful exploitation results in the unauthorized ability to cause a hang or frequently repeatable crash, leading to a complete denial of service (DoS) on the Siebel CRM Deployment. The CVSS 3.1 base score is 7.5 (vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), with high impact on availability and no impacts on confidentiality or integrity.

For mitigation details, refer to the Oracle Critical Patch Update advisory at https://www.oracle.com/security-alerts/cpujan2026.html, published on January 20, 2026.

Details

CWE(s): NVD-CWE-noinfo

Affected Products

oracle

siebel customer relationship management deployment

17.0 — 25.2

CVEs Like This One

CVE-2026-34290Same vendor: Oracle

CVE-2025-21521Same vendor: Oracle

CVE-2026-34282Same vendor: Oracle

CVE-2026-35245Same vendor: Oracle

CVE-2026-21945Same vendor: Oracle

CVE-2025-21549Same vendor: Oracle

CVE-2026-21986Same vendor: Oracle

CVE-2025-21547Same vendor: Oracle

CVE-2025-21564Same vendor: Oracle

CVE-2025-21515Same vendor: Oracle

References

https://www.oracle.com/security-alerts/cpujan2026.html
Vendor Advisory · secalert_us@oracle.com