Oracle Debuts Monthly Security Patch Cycle with 35 Urgent Fixes

New Patching Model for Faster Response

Oracle has launched its first Critical Security Patch Update (CSPU), introducing a monthly security patching cycle designed to deliver urgent fixes more quickly than the traditional quarterly Critical Patch Updates (CPUs). The inaugural May 28, 2026 release addresses 35 newly identified vulnerabilities across multiple major product lines, including Oracle Database, Oracle REST Data Services (ORDS), Oracle Communications Unified Assurance, Oracle E-Business Suite, and Oracle Hospitality OPERA 5. Unlike the larger quarterly CPUs which bundle hundreds of fixes, this new CSPU model focuses on a smaller, targeted set of high-priority patches that Oracle has determined need accelerated remediation. Future CSPUs are planned for most third Tuesdays of each month, giving customers a faster channel to address serious security issues between the larger cumulative releases.

Contents

New Patching Model for Faster Response Impact Across Oracle Product Lines

Impact Across Oracle Product Lines

The patches cover both Oracle’s proprietary code and popular third-party components embedded in its products, such as Apache Kafka, ActiveMQ, Tomcat, ZooKeeper, MySQL, PCRE2, libpng, and Apache HTTP Server. Oracle Database Server versions 23.4.0 through 23.26.2 receive three new security fixes for the Net Service component, all of which can be exploited remotely over TLS without authentication. Critically, these patches apply even to client-only installations without a full database server deployed, making patching essential for any environment where Oracle client libraries are exposed to untrusted networks. Oracle REST Data Services versions 24.2.0 to 26.1.0 are particularly affected, with 11 new security patches including several remotely exploitable without credentials. One vulnerability in the Backend-as-a-Service component carries a CVSS v3.1 base score of 10.0, indicating potential complete compromise of confidentiality, integrity, and availability on exposed ORDS endpoints. Oracle Communications Unified Assurance versions 6.1.1 through 7.0.0 receive eight new patches with four being exploitable remotely without authentication.

Source: Cyber Security News

Oracle Debuts Monthly Security Patch Cycle with 35 Urgent Fixes

Oracle's new monthly Critical Security Patch Update model delivers 35 urgent fixes across database, middleware, and communications products with several remotely exploitable without credentials.

New Patching Model for Faster Response

Impact Across Oracle Product Lines

Trending

Active Exploitation of PAN OS Authentication Flaw Targets Global Protect Gateways

Android Malware Builder BTMOB Lets Attackers Craft Custom Phishing Apps

ChatGPT Summary Feature Exploited to Deliver Phishing Payloads

LLM Agent Automates Data Theft After Marimo Notebook Compromise

Developer Tools Turned Against Developers in Twin Supply Chain Campaigns

Related Stories

Why MSPs Are Turning to Unified SIEM to Cut Through Alert Noise

Researcher Exposes Flaw in Claude Code Sandbox That Leaked Developer Secrets

Docker API Exploits Evolve Into Botnet-Building Malware With Persistent Access

Silk Typhoon Operator Extradited for Hacking COVID Research Institutions