Last Updated: May 27, 2026

1. Oracle Security Vulnerability Remediation Practices Overview

• 1.1 What are Critical Patch Updates (CPUs)?

  Critical Patch Updates provide security patches for supported Oracle on-premises products.  A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third-party components included in Oracle products. These patches are usually cumulative. They are available to customers with valid support contracts. 

  More information about Oracle's security fixing policies can be found at https://www.oracle.com/corporate/security-practices/assurance/vulnerability/security-fixing.html

• 1.2 When are Critical Patch Updates released?

  Oracle Critical Patch Updates are released quarterly. Critical Patch Updates are released at around 1 p.m. Pacific Time on the third Tuesday of January, April, July, and October.

• 1.3 What are Critical Security Patch Updates (CSPUs)?

  Critical Security Patch Updates provide security patches for supported Oracle on-premises products. A Critical Security Patch Update provides targeted, high-priority security fixes in a smaller, more focused format, making them easier to apply with minimal disruption. Critical Security Patch Updates complement Oracle’s existing quarterly cumulative Critical Patch Updates (CPUs). They are available to customers with valid support contracts. The first Critical Security Patch Update was introduced in May 2026.

• 1.4 When are Critical Security Patch Updates released?

  The first Critical Security Patch Update is scheduled on May 28, 2026. After the first Critical Security Patch Update, Critical Security Patch Updates will be released on the third Tuesday of February, March, May, June, August, September, November, and December.

• 1.5 What are Security Alerts?

  Oracle will issue Security Alerts for vulnerability fixes deemed too critical to wait for distribution in the next Critical Patch Update or Critical Security Patch Update. In this event, customers will be notified of the Security Alert by email notification. See Instructions for subscribing to email notifications of Critical Patch Updates, Critical Security Patch Updates and Security Alerts.

• 1.6 Does Oracle release security patches outside of the Critical Patch Update, Critical Security Patch Update for products such as Oracle Linux?

  Yes. Security updates for Oracle Linux and Oracle VM Server for x86 are announced in ELSA (Enterprise Linux Security Advisories) published at https://linux.oracle.com/security/. Additionally, customers can subscribe to Oracle Linux security announcements by visiting https://oss.oracle.com/mailman/listinfo/el-errata.

• 1.7 Where can I find a list of past Critical Patch Updates, Critical Security Patch Updates and Security Alerts?

  Previously released Critical Patch Updates, Critical Security Patch Updates and Security Alerts can be found at: https://www.oracle.com/security-alerts/

• 1.8 What happens if a critical security flaw is discovered between the quarterly Critical Patch Updates or the monthly Critical Security Patch Updates?

  In case of a dangerous threat to Oracle customers, Oracle will issue a Security Alert containing information about the threat and corrective measures. If the Security Alert is released with an interim patch, the patch will be included in the next Critical Patch Update. For more information, see Security Vulnerability Fixing Policy and Process at https://www.oracle.com/corporate/security-practices/assurance/vulnerability/security-fixing.html

2. Patch Policies and Content

• 2.1 In which support stages will products receive Critical Patch Updates, Critical Security Patch Updates, and Security Alerts?

  Oracle Lifetime Support policy is located here. It defines the period during which product releases are covered by Premier Support and Extended Support agreements. Generally, only releases in these first two stages of support are included in the Critical Patch Update, Critical Security Patch Update, and Security Alert program. For most products, only the latest versions within each release receive Critical Patch Update, Critical Security Patch Update, and Security Alert patches as stated in the "Software Error Correction Support Policy" documents on My Oracle Support.

• 2.2 Can I request security patches for product versions not currently covered in the Critical Patch Update, Critical Security Patch Update, or Security Alert program?

  Oracle strongly recommends that customers using product versions not covered by the Critical Patch Update, Critical Security Patch Update or Security Alert program upgrade to versions for which security patches are provided.

• 2.3 What should I do when a conflict is reported while applying a Critical Patch Update, Critical Security Patch Update, or Security Alert?

  Please contact Oracle Support using your designated support mechanism (e.g., My Oracle Support) for assistance.

• 2.4 Are previously released security fixes included in the Critical Patch Update?

  As much as possible, Oracle tries to make Critical Patch Updates cumulative; that is, each Critical Patch Update contains the security fixes from all previous Critical Patch Updates, Critical Security Patch Updates and Security Alerts. Critical Security Patch Updates are not cumulative. In practical terms, for those products that receive cumulative fixes, the latest Critical Patch Update is the only one that needs to be applied when solely using these products, as it contains all required fixes.

  Fixes for the other products that do not receive cumulative fixes are released as one-off patches. It is necessary for these products to refer to previous Critical Patch Update, Critical Security Patch Update, or Security Alert advisories to find all the patches that may need to be applied.

3. Patch Installation and Patching Guidelines

• 3.1 Are Critical Patch Updates, Critical Security Patch Updates, or Security Alerts mandatory?

  It is not mandatory to install Critical Patch Updates, Critical Security Patch Updates, or Security Alerts, but Oracle strongly recommends that they are applied. Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively supported versions and apply Critical Patch Update, Critical Security Patch Update, or Security Alert fixes without delay.

• 3.2 How do I determine if I need to apply a Critical Patch Update, Critical Security Patch Update, or Security Alert?

  Oracle strongly recommends that every Critical Patch Update, Critical Security Patch Update, or Security Alert be applied as soon as possible to minimize the risk of a successful attack.

• 3.3 Are there any recommended practices related to Critical Patch Updates, Critical Security Patch Updates, or Security Alerts?

  Oracle extensively tests the Critical Patch Update, Critical Security Patch Update, and Security Alert patches but cannot perform testing in a customer environment. Every customer performs some degree of customization, so it is recommended that customers test the security patches on their own test environments before installing patches on production systems.

• 3.4 Is it possible to apply workarounds instead of installing Critical Patch Updates, Critical Security Patch Updates, or Security Alerts?

  Oracle believes that the timely application of Critical Patch Updates, Critical Security Patch Updates, and Security Alerts is necessary for organizations to maintain a proper security in-depth posture. In certain instances, Oracle can provide specific workaround instructions if the workaround does not negatively impact other Oracle products. More generally, the information provided in the Critical Patch Update Advisory risk matrices can be used by customers to reduce or mitigate risk. For example, a security vulnerability in a product component that is unused on a particular system can be mitigated by uninstalling the component. Vulnerabilities that require an attacker to have certain privileges can be partially mitigated by restricting those privileges to trusted users. Oracle recommends that customers test workarounds or configuration changes on non-production environments before making changes to production systems.

4. Critical Patch Update, Critical Security Patch Update and Security Alert Documentation and More Information

• 4.1 What documentation is included in the Critical Patch Update, Critical Security Patch Update, and Security Alert?

  The top-level document for each Critical Patch Update, Critical Security Patch Update, and Security Alert is the advisory. A list of all Critical Patch Update, Critical Security Patch Update, and Security Alert advisories is maintained on https://www.oracle.com/security-alerts/.

  The advisory provides information designed to help customers make decisions about which systems to patch and in what order. It contains a list of affected products and risk matrices providing information about each newly fixed vulnerability. It references product-specific notes and documents that provide more detailed information, including the location of the patches.

• 4.2 Is it safe to use information about Oracle security vulnerabilities from third-party sites? How accurate is third-party information?

  The information available on non-Oracle sites is not reviewed by Oracle. Some sites may offer misleading information by providing only a small part of the vulnerabilities information disclosed in the Oracle Critical Patch Update, Critical Security Patch Update, or Security Alert documentation. Third-party sites may suggest workarounds that are incorrect, incomplete or untested, and following such advice can lead to system outages. Oracle strongly recommends that customers rely on information provided by Oracle, specifically the Critical Patch Update, Critical Security Patch Update, or Security Alert documentation, as the only authoritative source of information about Oracle vulnerabilities.

• 4.3 Why does Oracle use CVE identifiers?

  Starting with the July 2008 Critical Patch Update, Oracle started using industry standard Common Vulnerabilities and Exposure (CVE) identifiers rather than the proprietary identifiers used in previous CPUs and Security Alerts. The use of CVE identifiers was introduced to simplify the identification of Oracle vulnerabilities when referenced in external security reports, such as those produced by security researchers and vulnerability management systems.

• 4.4 What is the Security-In-Depth program referenced in the Credit Section of the Critical Patch Update, Critical Security Patch Update or Security Alert Advisory?

  In 2008, Oracle instituted a Security-In-Depth program to provide credit to people that provide information, observations or suggestions to Oracle pertaining to security vulnerability issues that result in significant modifications of Oracle code or documentation in future releases, but are not of such a critical nature that the modifications would be distributed in Critical Patch Updates, Critical Security Patch Updates and Security Alerts.

• 4.5 What is the On-Line Presence Security program referenced in the Credit Section of the CPU Advisory?

  In 2011, Oracle instituted an On-Line Presence Security program to provide credit to people for contributions relating to Oracle's on-line presence if they provide information, observations or suggestions pertaining to security-related issues that result in significant modification to Oracle's on-line external-facing systems.

5. CSAF (Common Security Advisory Framework)

• 5.1 What is CSAF?

  CSAF (Common Security Advisory Framework) is a JSON interchange format that has been developed by the CSAF Technical Committee in OASIS. The CSAF Technical Committee in OASIS is chartered to make a major revision to the Common Vulnerability Reporting Framework (CVRF).

  The CSAF JSON format is used to interchange relevant security information pertaining to vulnerabilities. Such information include, but is not limited to: CVE# to identify vulnerability, CVSS score to rate the ease of exploitation and severity of the vulnerability, affected products/versions, and remedy.

• 5.2 What is Oracle’s involvement with CSAF?

  Oracle participates in the CSAF Technical Committee in OASIS. As of the April 2022 Critical Patch Update, in addition to existing text and XML advisories, Oracle also publishes the security advisories in CSAF format. The advisory in the CSAF format can be found in the “references” section of each advisory. The CSAF JSON files are also available via RSS.

• 5.3 Who to contact for any CSAF related questions?

  Please contact secalert_us@oracle.com for any questions related to Oracle’s advisory in CSAF format. For general CSAF related questions/suggestions, please follow the instruction provided by CSAF Technical Committee in OASIS.

6. VEX (Vulnerability Exploitability eXchange)

• 6.1 What is VEX?

  VEX is a CISA initiative. VEX can be used to both assert non-exploitability of third-party CVEs as well as to confirm that products are subject to specific vulnerabilities associated with third-party CVEs. It can also be used to provide the reason for non-exploitability. VEX defines the following statuses:

  • Not Affected
  • Affected
  • Fixed
  • Under Investigation

  When the VEX status is "Not Affected", one the following VEX status justifications can be provided:

  • Component_not_present
  • Vulnerable_code_not_present
  • Vulnerable_code_not_in_execute_path
  • Vulnerable_code_cannot_be_controlled_by_adversary
  • Inline_mitigations_already_exist

  VEX information can be provided in different documents including, but not limited to HTML, CSAF and machine readable SBOM documents.

• 6.2 What is Oracle’s involvement with VEX?

  Oracle participates in the VEX Working group. Starting with July 2023 Critical Patch Update, Oracle publishes the VEX status justifications for third-party CVEs that are not exploitable in the context of the Oracle product in both the HTML and CSAF advisories.

• 6.3 Who to contact for any VEX related questions?

  Please contact secalert_us@oracle.com for any questions related to Oracle’s. For general VEX related questions/suggestions, please send them to SBOM@cisa.dhs.gov.

7. Other Topics

• 7.1 I Think I Discovered A Security Vulnerability. How Do I Report It?

  If you discover a problem you believe to be a security vulnerability, please follow the process detailed at https://www.oracle.com/corporate/security-practices/assurance/vulnerability/reporting.html