Oracle May 2026 Critical Security Patch Update Addresses 35 CVEs
Oracle released its May 2026 Critical Security Patch Update, fixing 35 CVEs across five product families with 11 critical-severity patches.
Oracle released its May 2026 Critical Security Patch Update (CSPU) on May 28, addressing 35 unique CVEs across five product families. This marks the first CSPU under Oracle's new monthly release cycle, which supplements the larger quarterly Critical Patch Updates (CPUs) with faster, focused security fixes. Of the 35 patches, 11 were rated critical severity, representing 31.4% of all fixes, while 18 were rated high severity.
The Oracle E-Business Suite received the most patches with 12 fixes, accounting for 34.3% of the total. Oracle REST Data Services followed with 11 patches, representing 31.4% of the update. Other affected product families include Oracle Communications (8 patches), Oracle Database Server (3 patches), and Oracle Hospitality Applications (1 patch). Notably, several vulnerabilities are exploitable over a network without authentication, with Oracle E-Business Suite having three such issues and Oracle REST Data Services having seven.
The CSPU format was introduced in May 2026 to address high-severity vulnerabilities on a faster cadence than the quarterly CPUs. This month's update includes 11 critical CVEs, 18 high-severity CVEs, and 6 medium-severity CVEs. No low-severity patches were included. The breakdown highlights Oracle's focus on its most widely deployed enterprise products, particularly E-Business Suite and REST Data Services, which are common targets for attackers.
Oracle has not disclosed specific technical details for each CVE, but the advisory includes risk matrices for affected products. Customers are urged to apply all relevant patches immediately, especially those that can be exploited remotely without authentication. Oracle's advisory provides a mapping of CVEs to affected products and recommended mitigations.
This update comes amid a busy patch cycle for enterprise software vendors, with Drupal, Microsoft, and Google also releasing critical fixes in recent weeks. The shift to monthly CSPUs reflects Oracle's effort to respond more quickly to emerging threats, though it also increases the patching burden on IT teams. Organizations running Oracle E-Business Suite or REST Data Services should prioritize this update given the high number of critical patches and remote exploitability.
Tenable has announced that plugins to identify affected systems will be released shortly. The full advisory and risk matrices are available on Oracle's website. As always, customers should test patches in a staging environment before deploying to production systems.
The new article from Cyber Security News provides additional technical details on the CSPU, noting that the patches also cover third-party components embedded in Oracle products such as Apache Kafka, ActiveMQ, Tomcat, ZooKeeper, MySQL, PCRE2, libpng, and Apache HTTP Server. It further highlights that CVE-2026-46840 in Oracle REST Data Services carries a CVSS 10.0 score and that the three Net Service flaws (CVE-2026-46833, CVE-2026-46834, CVE-2026-46835) affect client-only installations, expanding the patching scope beyond full database servers.