Oracle Solaris Third Party Bulletin - October 2025
Description
The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.
Patch Availability
Please see My Oracle Support Note 1448883.1
Third Party Bulletin Schedule
Third Party Bulletins are released on the third Tuesday of January, April, July, and October. The next four dates are:
- 20 January 2026
- 21 April 2026
- 21 July 2026
- 20 October 2026
References
- Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
- Risk Matrix definitions [ Risk Matrix Definitions ]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
Modification History
| Date | Note |
|---|---|
| 2025-November-25 | Rev 2. Added CVEs fixed in Solaris 11.4 SRU 87 |
| 2025-October-21 | Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 86 |
Oracle Solaris Executive Summary
This Oracle Solaris Bulletin contains 47 new security patches for the Oracle Solaris Operating System. 30 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Solaris Third Party Bulletin Risk Matrix
Revision 2: Published on 2025-11-25
| CVE ID | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2025-40778 | Oracle Solaris | Bind | HTTP | Yes | 8.6 | Network | Low | None | None | Changed | None | High | None | 11.4 | See Note 1 |
| CVE-2025-55005 | Oracle Solaris | ImageMagick | HTTP | Yes | 8.3 | Network | Low | None | Required | Un- changed |
High | High | Low | 11.4 | See Note 2 |
| CVE-2011-2964 | Oracle Solaris | Common Unix Printing System (CUPS) | HTTP | Yes | 8.2 | Network | Low | None | None | Un- changed |
Low | High | None | 11.4 | See Note 3 |
| CVE-2025-0624 | Oracle Solaris | Grub2 | HTTP | No | 7.6 | Adjacent Network | High | High | None | Changed | High | High | High | 11.4 | See Note 4 |
| CVE-2025-10527 | Oracle Solaris | Thunderbird | HTTP | Yes | 7.5 | Network | High | None | Required | Un- changed |
High | High | High | 11.4 | See Note 5 |
| CVE-2025-10527 | Oracle Solaris | Firefox | HTTP | Yes | 7.5 | Network | High | None | Required | Un- changed |
High | High | High | 11.4 | See Note 6 |
| CVE-2025-53066 | Oracle Solaris | JDK | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 11.4 | |
| CVE-2025-53537 | Oracle Solaris | Suricata | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | See Note 7 |
| CVE-2025-9179 | Oracle Solaris | Thunderbird | HTTP | Yes | 7.5 | Network | High | None | Required | Un- changed |
High | High | High | 11.4 | See Note 8 |
| CVE-2025-9179 | Oracle Solaris | Firefox | HTTP | Yes | 7.5 | Network | High | None | Required | Un- changed |
High | High | High | 11.4 | See Note 9 |
| CVE-2025-9230 | Oracle Solaris | OpenSSL | TLS | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4, 11.3, 10 | See Note 10 |
| CVE-2025-48379 | Oracle Solaris | Python Imaging Library (PIL) | None | No | 7.1 | Local | Low | Low | None | Un- changed |
None | High | High | 11.4 | |
| CVE-2025-7519 | Oracle Solaris | PolicyKit | None | No | 6.7 | Local | Low | High | None | Un- changed |
High | High | High | 11.4 | |
| CVE-2025-47183 | Oracle Solaris | GStreamer | None | No | 6.6 | Local | Low | Low | Required | Un- changed |
High | None | High | 11.4 | See Note 11 |
| CVE-2025-32989 | Oracle Solaris | GnuTLS | TLS | Yes | 6.5 | Network | High | None | None | Un- changed |
None | Low | High | 11.4 | See Note 12 |
| CVE-2025-50420 | Oracle Solaris | Poppler | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | 11.4 | |
| CVE-2025-52891 | Oracle Solaris | mod_security | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | 11.4 | |
| CVE-2025-53014 | Oracle Solaris | ImageMagick | HTTP | Yes | 6.5 | Network | High | None | None | Un- changed |
None | High | Low | 11.4 | See Note 13 |
| CVE-2025-11001 | Oracle Solaris | 7-Zip | None | No | 6.2 | Local | Low | None | None | Un- changed |
None | None | High | 11.4 | See Note 14 |
| CVE-2025-9232 | Oracle Solaris | OpenSSL | TLS | Yes | 5.9 | Network | High | None | None | Un- changed |
None | None | High | 11.4 | |
| CVE-2025-47806 | Oracle Solaris | GStreamer | HTTP | Yes | 5.6 | Network | High | None | None | Un- changed |
Low | Low | Low | 11.4 | See Note 15 |
| CVE-2025-48060 | Oracle Solaris | Command-line JSON Processor | None | No | 5.5 | Local | Low | Low | None | Un- changed |
None | None | High | 11.4 | |
| CVE-2025-47910 | Oracle Solaris | Go Programming Language | HTTP | Yes | 5.4 | Network | Low | None | Required | Un- changed |
Low | Low | None | 11.4 | See Note 16 |
| CVE-2025-49014 | Oracle Solaris | Command-line JSON Processor | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | None | Low | 11.4 | |
| CVE-2025-50181 | Oracle Solaris | Urllib3 | HTTP | No | 5.3 | Network | High | Low | None | Un- changed |
High | None | None | 11.4 | See Note 17 |
| CVE-2025-54571 | Oracle Solaris | mod_security | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
Low | None | None | 11.4 | |
| CVE-2025-7462 | Oracle Solaris | Ghostscript | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | None | Low | 11.4 | |
| CVE-2025-8194 | Oracle Solaris | Python | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | None | Low | 11.4 | |
| CVE-2025-43023 | Oracle Solaris | HP Linux Imaging and Printing Software | HTTP | No | 5 | Network | High | High | None | Un- changed |
None | High | Low | 11.4 | |
| CVE-2024-43374 | Oracle Solaris | VIM | None | No | 4.5 | Local | High | None | Required | Un- changed |
Low | Low | Low | 11.4 | See Note 18 |
| CVE-2024-23337 | Oracle Solaris | Command-line JSON Processor | HTTP | Yes | 4.3 | Network | Low | None | Required | Un- changed |
None | None | Low | 11.4 | |
| CVE-2025-2361 | Oracle Solaris | Mercurial | HTTP | Yes | 4.3 | Network | Low | None | Required | Un- changed |
Low | None | None | 11.4 | |
| CVE-2025-4476 | Oracle Solaris | libsoup | HTTP | Yes | 4.3 | Network | Low | None | Required | Un- changed |
None | None | Low | 11.4 | |
| CVE-2025-5399 | Oracle Solaris | libcurl | HTTP | Yes | 4.3 | Network | Low | None | Required | Un- changed |
None | None | Low | 11.4 | |
| CVE-2025-6069 | Oracle Solaris | Python | HTTP | No | 4.3 | Network | Low | Low | None | Un- changed |
None | None | Low | 11.4 | |
| CVE-2025-52886 | Oracle Solaris | Poppler | None | No | 4 | Local | Low | None | None | Un- changed |
None | None | Low | 11.4 | |
| CVE-2025-5914 | Oracle Solaris | Libarchive | None | No | 3.9 | Local | Low | Low | Required | Un- changed |
Low | None | Low | 11.4 | See Note 19 |
| CVE-2025-7039 | Oracle Solaris | GLib | HTTP | Yes | 3.7 | Network | High | None | None | Un- changed |
None | Low | None | 11.4 | |
| CVE-2025-55188 | Oracle Solaris | 7-Zip | None | No | 3.6 | Local | Low | None | Required | Changed | None | Low | None | 11.4 | |
| CVE-2025-50422 | Oracle Solaris | Poppler | None | No | 3.3 | Local | Low | None | Required | Un- changed |
None | None | Low | 11.4 | |
| CVE-2025-6141 | Oracle Solaris | Ncurses | None | No | 3.3 | Local | Low | Low | None | Un- changed |
None | None | Low | 11.4 | |
| CVE-2025-5992 | Oracle Solaris | Qt Toolkit | HTTP | Yes | 3.1 | Network | High | None | Required | Un- changed |
None | None | Low | 11.4 | |
Revision 1: Published on 2025-10-21
| CVE ID | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2025-54874 | Oracle Solaris | OpenJPEG | None | No | 8 | Local | Low | None | None | Un- changed |
High | High | Low | 11.4 | |
| CVE-2025-48989 | Oracle Solaris | Apache Tomcat | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | |
| CVE-2025-7345 | Oracle Solaris | Gdk-Pixbuf | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | |
| CVE-2025-57833 | Oracle Solaris | Django | HTTP | No | 7.1 | Network | High | Low | None | Changed | High | Low | None | 11.4 | |
| CVE-2025-52434 | Oracle Solaris | Apache Tomcat | HTTP | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | None | Low | 11.4 | See Note 20 |
Notes:
1. This patch also addresses CVE-2025-40780 CVE-2025-8677.2. This patch also addresses CVE-2025-55004 CVE-2025-55154 CVE-2025-55160 CVE-2025-55212 CVE-2025-55298 CVE-2025-57803.
3. This patch also addresses CVE-2024-47076 CVE-2024-47175 CVE-2024-47176 CVE-2024-47177.
4. This patch also addresses CVE-2024-45774 CVE-2024-45775 CVE-2024-45776 CVE-2024-45777 CVE-2024-45778 CVE-2024-45779 CVE-2024-45780 CVE-2024-45781 CVE-2024-45782 CVE-2024-45783 CVE-2024-56737 CVE-2025-0622 CVE-2025-0677 CVE-2025-0678 CVE-2025-0684 CVE-2025-0685 CVE-2025-0686 CVE-2025-0689 CVE-2025-0690 CVE-2025-1118 CVE-2025-1125.
5. This patch also addresses CVE-2025-10528 CVE-2025-10529 CVE-2025-10532 CVE-2025-10533 CVE-2025-10536 CVE-2025-10537.
6. This patch also addresses CVE-2025-10528 CVE-2025-10529 CVE-2025-10532 CVE-2025-10533 CVE-2025-10536 CVE-2025-10537.
7. This patch also addresses CVE-2025-53538.
8. This patch also addresses CVE-2025-9180 CVE-2025-9181 CVE-2025-9182 CVE-2025-9184 CVE-2025-9185.
9. This patch also addresses CVE-2025-9180 CVE-2025-9181 CVE-2025-9182 CVE-2025-9183 CVE-2025-9184 CVE-2025-9185.
10. This patch also addresses CVE-2025-9231 CVE-2025-9232.
11. This patch also addresses CVE-2025-47219.
12. This patch also addresses CVE-2025-32988 CVE-2025-32990 CVE-2025-6395.
13. This patch also addresses CVE-2025-53015 CVE-2025-53019 CVE-2025-53101.
14. This patch also addresses CVE-2025-11002 CVE-2025-53816 CVE-2025-53817.
15. This patch also addresses CVE-2025-47807 CVE-2025-47808.
16. This patch also addresses CVE-2025-47912 CVE-2025-58183 CVE-2025-58185 CVE-2025-58186 CVE-2025-58187 CVE-2025-58188 CVE-2025-58189 CVE-2025-61723 CVE-2025-61724 CVE-2025-61725.
17. This patch also addresses CVE-2025-50182.
18. This patch also addresses CVE-2024-43790 CVE-2024-45306 CVE-2024-47814 CVE-2025-1215 CVE-2025-22134 CVE-2025-24014 CVE-2025-26603 CVE-2025-29768 CVE-2025-53905 CVE-2025-53906 CVE-2025-55157 CVE-2025-55158.
19. This patch also addresses CVE-2025-5915 CVE-2025-5916 CVE-2025-5917 CVE-2025-5918.
20. This patch also addresses CVE-2025-52520 CVE-2025-53506.