Oracle has released its January 2026 Critical Patch Update (CPU), containing 337 new security patches addressing 158 unique CVEs across 122 products from Oracle’s portfolio. The update includes two maximum-severity flaws with CVSS 10.0 scores and 27 issues rated critical severity (8% of all patches).
Patch overview
| Metric | Value |
|---|---|
| Total patches | 337 |
| Unique CVEs | 158 |
| Products affected | 122 |
| Critical severity issues | 27 (8%) |
| Maximum severity | CVSS 10.0 |
| Remotely exploitable (no auth) | Multiple critical |
Critical vulnerabilities (CVSS 10.0)
Two vulnerabilities received maximum severity scores:
| CVE | Product | Description |
|---|---|---|
| CVE-2025-66516 | Multiple products | Critical severity affecting multiple components |
| CVE-2026-21962 | Oracle HTTP Server, WebLogic Server Proxy Plug-in | Maximum risk of remote exploitation |
CVE-2026-21962 is particularly concerning as it affects components of Oracle HTTP Server and WebLogic Server Proxy Plug-in—commonly internet-facing infrastructure components.
CVE-2026-21962 details
| Attribute | Value |
|---|---|
| CVSS Score | 10.0 (Critical) |
| Affected components | Oracle HTTP Server, WebLogic Server Proxy Plug-in |
| Attack vector | Network |
| Privileges required | None |
| User interaction | None |
| Impact | Remote exploitation |
These maximum-severity vulnerabilities require immediate attention across affected deployments.
High-severity vulnerabilities (CVSS 9.8)
Multiple vulnerabilities affecting third-party components:
| Component | Affected Products |
|---|---|
| Apache Commons Compress | Multiple Oracle products |
| Eclipse JGit | Development tools |
| OpenJPEG | Image processing components |
Patches by product family
| Product Family | Patches | Notable |
|---|---|---|
| Fusion Middleware | 45 | Web-facing components |
| Financial Services | 38 | 33 remotely exploitable without auth |
| E-Business Suite | 31 | ERP vulnerabilities |
| Communications | 28 | Telecom platforms |
| Database | 24 | Multiple critical flaws |
| MySQL | 19 | Database server |
| Java SE | 11 | All remotely exploitable without auth |
| VM VirtualBox | 11 | High-risk vulnerabilities |
| GoldenGate | 5+ | 3 remotely exploitable without auth |
Financial Services Applications
The 38 patches for Oracle Financial Services Applications deserve particular attention:
| Metric | Value |
|---|---|
| Total patches | 38 |
| Remotely exploitable (no auth) | 33 |
| Attack complexity | Low |
Why this matters
Financial Services applications:
- Handle sensitive transaction data
- Process payments and settlements
- Manage customer financial information
- Support banking and insurance operations
- Are often internet-facing
33 remotely exploitable vulnerabilities without authentication represents significant risk for financial institutions.
Java SE vulnerabilities
| Metric | Value |
|---|---|
| New patches | 11 |
| Remotely exploitable | All 11 |
| Authentication required | None |
| Maximum CVSS score | 7.5 |
Notable Java CVEs
| CVE | Severity | Type |
|---|---|---|
| CVE-2025-43368 | 7.5 (High) | JavaFX/WebKitGTK component |
| CVE-2025-7425 | 7.5 (High) | JavaFX/libxml2 component |
| CVE-2026-21945 | 7.5 (High) | Server-Side Request Forgery (SSRF) |
CVE-2026-21945 details
| Attribute | Value |
|---|---|
| Type | Server-Side Request Forgery (SSRF) |
| Impact | Resource exhaustion, denial of service |
| Authentication | Not required |
| Network exploitable | Yes |
CVE-2026-21945 is a high-severity SSRF vulnerability in Oracle Java that is remotely exploitable without authentication. When successfully exploited, it can be leveraged to exhaust resources, causing a denial-of-service condition.
Java remains ubiquitous in enterprise environments. All 11 Java SE patches address vulnerabilities exploitable remotely without authentication—making them high-priority for any organization running Java applications.
Database vulnerabilities
Multiple critical vulnerabilities affect Oracle Database, potentially enabling:
- Unauthorized data access
- Privilege escalation
- Remote code execution
Organizations running Oracle Database should review the CPU advisory and prioritize patching based on deployment exposure.
VM VirtualBox
11 high-risk vulnerabilities affect Oracle VM VirtualBox. While typically used for development and testing, compromised VirtualBox instances can:
- Provide pivot points into corporate networks
- Expose data processed in VMs
- Enable escape to host systems
Third-party component impact
A significant portion of this CPU addresses vulnerabilities in third-party open-source libraries bundled with Oracle products:
| Pattern | Impact |
|---|---|
| Shared dependencies | Single CVE maps to many products |
| Transitive inclusion | Vulnerability inherited through dependency chains |
| Update lag | Oracle products may bundle older library versions |
This explains why 158 unique CVEs result in 337 patches—the same vulnerability affects multiple products through shared components.
Open source component risks
| Observation | Implication |
|---|---|
| Large fraction of fixes address third-party libraries | Supply chain risk in enterprise software |
| Not Oracle-authored code | Dependency on upstream security |
| Shared dependency chains | Vulnerability amplification |
Exploitation status
| Status | Details |
|---|---|
| Zero-day exploitation | None confirmed at release |
| Public PoCs | None disclosed at release |
| Oracle recommendation | Immediate patching due to ongoing exploitation attempts |
While no active exploitation was confirmed at release, Oracle strongly recommends immediate patching based on historical patterns of rapid exploit development following CPU releases and ongoing reports of malicious exploitation attempts.
Patching priorities
Tier 1: Immediate (within 72 hours)
| Target | Reason |
|---|---|
| Internet-facing systems | Direct attack exposure |
| Financial Services apps | 33 unauthenticated remote vectors |
| Java SE deployments | All 11 patches remotely exploitable |
| CVSS 10.0 vulnerabilities | Maximum severity |
| WebLogic Server | CVE-2026-21962 exposure |
Tier 2: Urgent (within 1 week)
| Target | Reason |
|---|---|
| Database systems | Critical data exposure risk |
| E-Business Suite | ERP compromise impact |
| Fusion Middleware | Web component exposure |
Tier 3: Standard (within patch cycle)
| Target | Reason |
|---|---|
| Internal-only systems | Reduced exposure |
| Development environments | Lower impact |
| Non-critical applications | Business risk assessment |
Implementation guidance
| Step | Action |
|---|---|
| 1 | Download patches from My Oracle Support |
| 2 | Review CPU advisory for affected products |
| 3 | Test patches in non-production environment |
| 4 | Prioritize based on exposure and criticality |
| 5 | Deploy to production during maintenance window |
| 6 | Verify successful installation |
| 7 | Monitor for exploitation attempts |
| 8 | Document exceptions for delayed patching |
Temporary mitigations
If immediate patching isn’t possible:
| Control | Purpose |
|---|---|
| Network segmentation | Limit access to vulnerable systems |
| WAF rules | Block known attack patterns |
| Enhanced monitoring | Detect exploitation attempts |
| Access restrictions | Reduce authenticated attack surface |
| Disable unused features | Reduce attack surface |
CPU schedule reminder
Oracle releases Critical Patch Updates quarterly:
| Month | Typical Release |
|---|---|
| January | Second Tuesday |
| April | Second Tuesday |
| July | Second Tuesday |
| October | Second Tuesday |
Organizations should plan patching cycles around this schedule, with processes to evaluate and deploy updates promptly.
Historical comparison
| CPU | Total Patches | Unique CVEs |
|---|---|---|
| January 2026 | 337 | 158 |
| October 2025 | 349 | 162 |
| July 2025 | 318 | 149 |
| April 2025 | 308 | 145 |
The January 2026 CPU is consistent with recent update volumes, reflecting Oracle’s extensive product portfolio.
Recommendations
For Oracle customers
| Priority | Action |
|---|---|
| Critical | Apply CVSS 10.0 patches immediately |
| Critical | Prioritize Java SE and Financial Services patches |
| High | Review internet-facing system exposure |
| High | Implement compensating controls for delayed patching |
| Ongoing | Establish quarterly CPU response procedures |
For security teams
| Priority | Action |
|---|---|
| High | Inventory all Oracle deployments |
| High | Map critical systems to CPU advisory |
| Medium | Validate patch testing procedures |
| Ongoing | Monitor for post-CPU exploit releases |
Context
The January 2026 CPU’s 337 patches reflects both Oracle’s extensive product portfolio and the challenge of securing complex enterprise software with numerous third-party dependencies.
The concentration of remotely exploitable, unauthenticated vulnerabilities in Financial Services (33) and Java SE (11) applications demands immediate attention from affected organizations. These aren’t theoretical risks—they’re attack vectors that require no credentials and can be exploited from the network.
The significant proportion of patches addressing third-party open-source components highlights supply chain security as a growing concern in enterprise software. Organizations running Oracle products should treat CPU releases as security-critical events requiring prompt assessment and remediation, not routine maintenance to be scheduled around convenience.