Oracle April 2026 Critical Patch Update Addresses 241 CVEs Across 28 Product Families
Oracle's second quarterly security update of 2026 fixes 241 unique CVEs with 481 patches, including 34 critical-severity fixes, with Oracle Communications receiving the most patches.
Oracle released its April 2026 Critical Patch Update (CPU) on April 21, addressing 241 unique CVEs across 481 security updates in 28 product families. This is the second quarterly update of the year and includes 34 patches rated critical severity, covering 22 CVEs. High-severity patches account for 45.9% of all updates, followed by medium severity at 44.1% and low severity at 2.9%.
The Oracle Communications product family received the highest number of patches — 139, or 28.9% of the total — followed by Oracle Financial Services Applications with 75 patches (15.6%). Oracle Fusion Middleware received 59 patches, and Oracle MySQL received 34. Notably, 93 of the Communications patches and 59 of the Financial Services patches are remotely exploitable without authentication, underscoring the urgency for organizations using these products to apply updates quickly.
Among the 34 critical patches, 22 CVEs are covered, meaning some critical patches address multiple CVEs. The full breakdown by product family shows that Oracle Analytics, Oracle Retail Applications, Oracle Siebel CRM, and Oracle Java SE also received double-digit patch counts. Several smaller product families, including Oracle Blockchain Platform, Oracle Commerce, and Oracle REST Data Services, received two patches each.
Oracle's CPU advisories are released quarterly and are the primary mechanism for delivering security fixes across the company's extensive product portfolio. The April 2026 update continues the trend of large patch volumes, with 241 CVEs fixed — a significant number that reflects the complexity and breadth of Oracle's software ecosystem.
Customers are advised to apply all relevant patches from the April 2026 advisory as soon as possible. Oracle provides risk matrices and a CVE-to-advisory map to help organizations prioritize. Tenable has indicated that its plugins to identify these vulnerabilities will be released shortly, and a search filter is available to track coverage.
The April 2026 CPU highlights the ongoing challenge of securing large, multi-product software estates. With over 28 product families affected and a high proportion of remotely exploitable vulnerabilities, organizations running Oracle software should treat this update as a high priority for their patch management processes.