Oracle May 2026 Critical Security Patch Update Addresses 35 Vulnerabilities

Severity: High (Score: 70.5)

Sources: www.oracle.com, Tenable, Heise.De, Cybersecuritynews, Blogs.Oracle

Published: 2026-05-29 · Updated: 2026-05-29

Keywords: critical, security, patch, update, cspu, oracle, addresses

Severity indicators: critical, critical security

Summary

On May 28, 2026, Oracle released its Critical Security Patch Update (CSPU) addressing 35 vulnerabilities across multiple product families. This update includes 11 critical patches and is part of a new monthly release cycle aimed at providing timely security fixes. The vulnerabilities, identified by CVEs, affect Oracle Database Server, Oracle REST Data Services, Oracle E-Business Suite, and others. The update is crucial as attackers have been reported to exploit previously patched vulnerabilities. Customers are strongly advised to apply these patches immediately to mitigate potential risks. The CSPU represents a shift in Oracle's patching strategy, focusing on high-severity issues more frequently. The majority of the patches are categorized as high severity, with a significant portion being critical. Organizations using affected Oracle products are at risk if they do not implement the updates promptly. Key Points: • Oracle's May 2026 CSPU addresses 35 CVEs, including 11 critical vulnerabilities. • The update is part of a new monthly patching strategy to address high-severity issues faster. • Customers are urged to apply patches immediately to prevent exploitation of known vulnerabilities.

Detailed Analysis

**Impact** The update affects multiple Oracle product families, including Oracle Database Server, Oracle REST Data Services, Oracle Communications, Oracle E-Business Suite, and Oracle Hospitality Applications. A total of 35 vulnerabilities are addressed, with 11 rated critical and 18 high severity, impacting customers globally across various sectors using these products. The Oracle E-Business Suite received the highest number of patches (12), followed by Oracle REST Data Services (11), indicating a broad operational impact for enterprises relying on these systems. Exploitation could lead to unauthorized access, data compromise, and disruption of business operations. **Technical Details** The vulnerabilities include 35 unique CVEs, with 11 critical issues exploitable over the network without authentication. Oracle uses CVSS version 3.1 for scoring and provides risk matrices detailing exploit conditions and impacts. Attack vectors primarily involve network-based exploitation of Oracle product vulnerabilities, with some requiring specific privileges or package access. No specific malware, tools, or IOCs were disclosed in the available sources. **Recommended Response** Apply all relevant Critical Security Patch Update patches immediately, prioritizing the 11 critical fixes. Until patches are applied, reduce risk by blocking network protocols associated with the vulnerabilities and removing unnecessary privileges where applicable. Monitor Oracle advisories and risk matrices for detailed vulnerability information and deploy detection rules as they become available. No specific IOCs or detection signatures were provided in the current advisories.

Source articles (6)

Oracle May 2026 Critical Security Patch Update Addresses 35 CVEs — Tenable · 2026-05-28
Oracle addresses 35 CVEs in its May 2026 Critical Security Patch Update with 35 patches, including 11 critical updates. On May 28, Oracle released its Critical Security Patch Update (CSPU) for May 202…
May 2026 Critical Security Patch Update Released — Blogs.Oracle · 2026-05-28
This Critical Security Patch Update provides security updates for a wide range of product families: Oracle Database Server, Oracle REST Data Services, Oracle Communications, Oracle E-Business Suite, O…
Oracle May 2026 Critical Security Patch Update Risk Matrices — www.oracle.com · 2026-05-29
This document provides the text form of the May 2026 Advisory Risk Matrices. Please note that the CVE IDs in this document correspond to the same CVE IDs in the May 2026 Advisory . This page contains…
Oracle CSPU: 35 Security Updates in May — Heise.De · 2026-05-29
Oracle is known for its quarterly patch days, called “Critical Patch Update” (CPU); the last one took place in April and addressed 481 vulnerabilities . In May, the company has now pushed out a “criti…
Oracle Critical Security Update — Cybersecuritynews · 2026-05-29
Oracle has rolled out its first Critical Security Patch Update (CSPU), delivering 35 new security fixes for serious vulnerabilities across several major product lines, including Oracle Database, Oracl…
Cspumay2026 — www.oracle.com · 2026-05-29
A Critical Security Patch Update (CSPU) provides targeted, high-priority security fixes in a smaller, more focused format, making them easier to apply with minimal disruption. Critical Security Patch…

Timeline

2026-05-28 — Oracle releases May 2026 CSPU: Oracle announced the release of its Critical Security Patch Update addressing 35 vulnerabilities across various product families.
2026-05-28 — CSPU introduces monthly patching cycle: Oracle's new CSPU format aims to provide quicker fixes for high-severity vulnerabilities, complementing quarterly updates.
2026-05-29 — Oracle advises immediate patch application: Oracle emphasizes the importance of applying the CSPU patches to prevent exploitation of vulnerabilities that have already been addressed.

CVEs

Related entities

Data Breach (Attack Type)
german.it (Domain)
vulnerabilities.in (Domain)
Backend-as-a-Service (Platform)
Fusion Middleware (Platform)
Oracle Communications (Platform)
Oracle Database (Platform)
Oracle Databases (Platform)
Oracle E-business Suite (Platform)
Oracle Enterprise Manager (Platform)
Oracle Hospitality Applications (Platform)
Oracle Hospitality Opera 5 Property Services (Platform)
Oracle REST Data Services (Platform)
Cl0p (Ransomware Group)