Oracle January 2026 Critical Patch Update Addresses 158 CVEs
Oracle addresses 158 CVEs in its first quarterly update of 2026 with 337 patches, including 27 critical updates.
Key takeaways:
- The first Critical Patch Update (CPU) for 2026, contains fixes for 158 unique CVEs in 337 security updates.
- 27 issues (8% of all patches) were assigned a critical severity rating.
- CVE-2026-21945, a high severity Server-Side Request Forgery (SSRF) vulnerability in Oracle Java was discovered by Tenable Research.
Background
On January 20, Oracle released its Critical Patch Update (CPU) for January 2026, the first quarterly update of 2026. This CPU contains fixes for 158 unique CVEs in 337 security updates across 30 Oracle product families. Out of the 337 security updates published this quarter, 8% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 45.7%, followed by medium severity patches at 42.4%.
This quarter’s update includes 27 critical patches across 13 CVEs.
| Severity | Issues Patched | CVEs |
|---|---|---|
| Critical | 27 | 13 |
| High | 154 | 67 |
| Medium | 143 | 69 |
| Low | 13 | 9 |
| Total | 337 | 158 |
Analysis
This quarter, the Oracle Zero Data Loss Recovery Appliance product family contained the highest number of patches at 56, accounting for 16.6% of the total patches, followed by Oracle Enterprise Manager at 51 patches, which accounted for 15.1% of the total patches.
A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.
| Oracle Product Family | Number of Patches | Remote Exploit without Auth |
|---|---|---|
| Oracle Zero Data Loss Recovery Appliance | 56 | 34 |
| Oracle Enterprise Manager | 51 | 47 |
| Oracle E-Business Suite | 38 | 33 |
| Oracle Java SE | 20 | 7 |
| Oracle MySQL | 14 | 10 |
| Oracle PeopleSoft | 14 | 11 |
| Oracle Systems | 14 | 1 |
| Oracle HealthCare Applications | 12 | 10 |
| Oracle JD Edwards | 12 | 10 |
| Oracle Hospitality Applications | 11 | 11 |
| Oracle Retail Applications | 10 | 8 |
| Oracle Commerce | 8 | 7 |
| Oracle Communications | 8 | 2 |
| Oracle Financial Services Applications | 8 | 6 |
| Oracle Database Server | 7 | 2 |
| Oracle TimesTen In-Memory Database | 7 | 6 |
| Oracle Hyperion | 7 | 5 |
| Oracle Analytics | 6 | 6 |
| Oracle GoldenGate | 5 | 3 |
| Oracle Fusion Middleware | 5 | 3 |
| Oracle Siebel CRM | 5 | 1 |
| Oracle Supply Chain | 5 | 4 |
| Oracle Construction and Engineering | 4 | 4 |
| Oracle Health Sciences Applications | 4 | 4 |
| Oracle APEX | 1 | 0 |
| Oracle Essbase | 1 | 1 |
| Oracle Graph Server and Client | 1 | 0 |
| Oracle Key Vault | 1 | 0 |
| Oracle NoSQL Database | 1 | 1 |
| Oracle Secure Backup | 1 | 1 |
Tenable Research discovery
As part of the January CPU, Oracle addressed CVE-2026-21945, a high severity Server-Side Request Forgery (SSRF) vulnerability in Oracle Java that is remotely exploitable without authentication. When successfully exploited, it can be leveraged to exhaust resources, causing a denial-of-service (DoS) condition. You can read more about the discovery in our blog post and in our Tenable Research Advisory (TRA).
Solution
Customers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the January 2026 advisory for full details.
Identifying affected systems
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.
Get more information
- Tenable Blog: Tenable Discovers SSRF Vulnerability in Java TLS Handshakes That Creates DoS Risk
- Tenable Research Advisory: TRA-2026-03
- Oracle Critical Patch Update Advisory - January 2026
- Oracle January 2026 Critical Patch Update Risk Matrices
- Oracle Advisory to CVE Map
Join Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Research Special Operations
The Research Special Operations (RSO) team serves as Tenable’s Forward Logistics Element in the threat landscape, providing customers with the analyses and contextualized exposure intelligence required to manage risks to critical business assets. With over 150 years of collective expertise, this hand-picked group of world-class security researchers is united with one mission: to cut through the noise and deliver critical intelligence about the most dangerous cyber threats emerging right now. Uniting the missions of the Tenable Security Response, Zero-Day Research, and Decision Science Operations teams, RSO disseminates timely, accurate, and actionable information about the latest threats and exposures.
Related articles
Tenable Discovers SSRF Vulnerability in Java TLS Handshakes That Creates DoS Risk
Tenable Research has discovered a server-side request forgery (SSRF) vulnerability in Java’s handling of client certificates during a TLS handshake. In certain configurations, this can be abused to cause a denial-of-service (DoS) condition.Key takeawaysTenable Research identified a vulnerability in…
CVE-2025-64155: Exploit Code Released for Critical Fortinet FortiSIEM Command Injection Vulnerability
Exploit code has been published for CVE-2025-64155, a critical command injection vulnerability affecting Fortinet FortiSIEM devices.Key takeaways:CVE-2025-64155 is a critical operating system (OS) command injection vulnerability affecting Fortinet FortiSIEM. Fortinet vulnerabilities have…
Microsoft’s January 2026 Patch Tuesday Addresses 113 CVEs (CVE-2026-20805)
Microsoft addresses 113 CVEs in the first Patch Tuesday of 2026, with two zero-days, including one that was exploited in the wild.
- Exposure Management
- Vulnerability Management
Contact our sales team