Critical Patch Updates, Security Alerts and Bulletins 
This page lists announcements of security fixes made in Critical Patch Update Advisories, Security Alerts and Bulletins, and it is updated when new Critical Patch Update Advisories, Security Alerts and Bulletins are released.
- Instructions for subscribing to email notifications of Critical Patch Update Advisories and Security Alerts.
- Oracle Corporate Security Blog
- Guidelines for reporting security vulnerabilities
This page contains the following sections:
- Critical Patch Updates
- Security Alerts
- Solaris Third Party Bulletins
- Oracle Linux Security Advisories
- Map of CVE to Advisory/Alert
- Oracle CVEs not published in other Oracle public documents
- Policy on information provided in Critical Patch Update Advisories and Security Alerts
- Applicability of Critical Patch Updates and Security Alerts to Oracle Cloud
- References
Critical Patch Updates
Critical Patch Updates provide security patches for supported Oracle on-premises products. They are available to customers with valid support contracts. Critical Patch Updates are released on the third Tuesday of January, April, July, and October. The next four dates are:
- 21 April 2026
- 21 July 2026
- 20 October 2026
- 19 January 2027
A pre-release announcement will be published on the Thursday preceding each Critical Patch Update release.
The Critical Patch Updates released since 2021 are listed in the following table. Critical Patch Updates released before 2021 are available here.
Security Alerts
Oracle will issue Security Alerts for vulnerability fixes deemed too critical to wait for distribution in the next Critical Patch Update. The Security Alerts released since 2021 are listed in the following table. Security Alerts released before 2021 are available here.
| Security Alert Number And Description | Latest Version/Date |
|---|---|
| Alert for CVE-2026-21992 | Rev 2, 20 March 2026 |
| Alert for CVE-2025-61884 | Rev 1, 11 October 2025 |
| Alert for CVE-2025-61882 | Rev 2, 06 October 2025 |
| Alert for CVE-2024-21287 | Rev 1, 18 November 2024 |
| Alert for CVE-2022-21500 | Rev 2, 25 May 2022 |
| Alert for CVE-2021-44228 | Rev 3, 17 December 2021 |
Solaris Third Party Bulletins
Solaris Third Party Bulletins are used to announce security patches for third party software distributed with Oracle Solaris. Solaris Third Party Bulletins are published on the same day as Oracle Critical Patch Updates are released. These bulletins will be updated on the third Tuesday of the following two months after their release (i.e., the two months between the normal quarterly Critical Patch Update publication dates). In addition, Solaris Third Party Bulletins may also be updated for vulnerability patches deemed too critical to wait for the next scheduled publication date. Solaris Third Party Bulletins released before 2021 are available here.
Oracle Linux Security Advisories
Oracle Linux Security Advisories are published at https://linux.oracle.com/security/.
Map of CVE to Advisory/Alert
The Map of CVE to Advisory/Alert indicates which CVEs are fixed in each Critical Patch Update and Security Alert. The Map of CVE to Solaris Third Party Bulletin indicates which CVEs are fixed in each Solaris Third Party Bulletin.
Oracle CVEs not published in other Oracle public documents
The page provides Oracle CVEs which are not published in other Oracle public documents.
Policy on information provided in Critical Patch Updates and Security Alerts
As a matter of policy, Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the Critical Patch Update or Security Alert notification, the pre-installation notes, the readme files, and FAQs. Oracle provides all customers with the same information in order to protect all customers equally. Oracle will not provide advance notification or "insider information" on Critical Patch Update or Security Alerts to individual customers. Finally, Oracle does not distribute exploit code (or "proof of concept code") for vulnerabilities in our products.
Applicability of Critical Patch Updates and Security Alerts to Oracle Cloud
The Oracle Cloud operations and security teams regularly evaluate Oracle’s Critical Patch Updates and Security Alert fixes as well as relevant third-party fixes as they become available and apply the relevant patches in accordance with applicable change management processes.
Cloud customers requiring information that is not addressed in the Critical Patch Update Advisory may obtain information as follows:
- Oracle Cloud (IaaS, PaaS, and SaaS) customers should submit a SR within their designated support system
- Oracle Managed Cloud Services (OMCS) customers should contact their Service Delivery Manager (SDM) or Technical Account Manager (TAM)
- CRM On Demand customers should request status via a Service Request (SR)
- Global Business Units/Industry Cloud Services customers should submit a SR within their designated support system or, if applicable, contact their Customer Success Manager
- Oracle Advertising customers should contact their Client Partner.
- Oracle NetSuite customers should submit an Oracle NetSuite Support Case from within their Oracle NetSuite account.
References
注:为免疑义,本网页所用以下术语专指以下含义:
- 除Oracle隐私政策外,本网站中提及的“Oracle”专指Oracle境外公司而非甲骨文中国。
- 相关Cloud或云术语均指代Oracle境外公司提供的云技术或其解决方案。