Oracle Releases Critical Patch Update Addressing 481 Vulnerabilities, Including 376 Third‑Party Component Flaws
What Happened — Oracle’s April 2026 Critical Patch Update (CPU) delivered patches for 481 security vulnerabilities across its portfolio, with 139 patches targeting Oracle Communications. Over three‑quarters (78 %) of the fixes address non‑Oracle CVEs in bundled open‑source components.
Why It Matters for TPRM —
- The breadth of affected products (database, middleware, communications, finance, etc.) expands the attack surface of any organization that relies on Oracle‑based services.
- Third‑party component flaws highlight the need for continuous vulnerability management of bundled open‑source libraries.
- Delayed patching can expose downstream customers to exploit risk, potentially triggering supply‑chain incidents.
Who Is Affected — Enterprises using Oracle Database, Fusion Middleware, Communications, Financial Services Applications, E‑Business Suite, MySQL, and any other Oracle‑hosted solutions across finance, telecom, healthcare, retail, and government sectors.
Recommended Actions —
- Verify that all Oracle products in scope have applied the April 2026 CPU patches.
- Prioritize remediation of the 27 high‑severity (CVSS ≥ 7.2) updates, especially for Database Server, Autonomous Health Framework, Blockchain Platform, GoldenGate, REST Data Services, and TimesTen.
- Review third‑party component inventories (e.g., OpenSSL, Apache, log4j) for versions patched by Oracle and confirm they are up‑to‑date.
- Update vulnerability scanning policies to include the new Qualys QIDs (20574‑20570, etc.).
Technical Notes — The update covers 481 CVEs, including 376 non‑Oracle (open‑source) vulnerabilities. Notable high‑severity CVEs have CVSS base scores up to 7.5. Patches span Oracle Database Server, Autonomous Health Framework, Blockchain Platform, GoldenGate, REST Data Services, TimesTen, and a wide range of other product families. Source: Qualys Blog – Oracle Critical Patch Update, April 2026