Oracle Issues April 2026 Critical Patch Update — 481 Fixes Across 28 Product Families
Oracle Issues April 2026 Critical Patch Update — 481 Fixes Across 28 Product Families
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- Ubuntu 26.04 LTS (Resolute Raccoon): The Most Ambitious Ubuntu LTS in a Decade
- Proton Mail: Data Transferred to FBI Again!
- How Close Are Quantum Computers to Breaking RSA-2048?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
Oracle Issues April 2026 Critical Patch Update — 481 Fixes Across 28 Product Families
The second quarterly security update of 2026, released April 21, addresses 241 unique CVEs spanning Java SE, MySQL, VirtualBox, Communications, and more — with critical-severity scores as high as 9.8.
Oracle released its Critical Patch Update (CPU) for April 2026 on Tuesday, April 21, 2026 — the second quarterly security update of the year. The update delivers 481 security patches covering 241 unique CVEs across 28 Oracle product families, with 7.1% of patches rated at critical severity and scores reaching as high as 9.8 on the CVSS v3.1 scale.
Customers are strongly urged to apply these patches as soon as possible. Oracle Communications received the greatest share of fixes this cycle, followed by Oracle Financial Services Applications and Oracle Fusion Middleware.
It is important to note that 481 refers to the number of security patches issued, not the number of distinct vulnerabilities. The 241 unique CVEs are fewer because some vulnerabilities affect multiple products simultaneously, resulting in multiple patches for a single CVE.
“376 of the 481 security patches — approximately 78% — address non-Oracle CVEs, including vulnerabilities in open-source components bundled within Oracle product distributions.”
— Qualys ThreatPROTECT, April 2026 CPU Security Update ReviewOracle Java SE: 12 New Patches, 8 Remotely Exploitable
This cycle’s Java SE update delivers 12 new security patches — one more than some pre-release summaries suggested. Of these, 8 vulnerabilities may be remotely exploited without authentication, meaning an attacker with network access requires no valid credentials to leverage them. The highest CVSS v3.1 Base Score for Java SE vulnerabilities is 7.5.
The following versions are identified as vulnerable and require immediate patching:
Oracle Java SE 8u481, 8u481-b50, 8u481-perf
Oracle Java SE 11.0.30
Oracle Java SE 17.0.18
Oracle Java SE 21.0.10
Oracle Java SE 25.0.1, 25.0.2
Oracle Java SE 26
Oracle GraalVM EE 21.3.17
Users running any of the above versions should apply Oracle’s quarterly patch to obtain the corresponding fixed release. Oracle’s Java Management documentation confirms that the patched releases include Java SE 8u491, 11.0.31, 17.0.19, 21.0.11, 25.0.3, and 26.0.1.
Oracle Java SE vulnerabilities in this CPU may also affect Java deployments in clients running sandboxed Java Web Start applications or sandboxed Java applets that load and execute untrusted code. Prioritize patching internet-facing and client-side Java environments.
Oracle MySQL: 34 Patches, Critical Score of 9.8
Oracle MySQL received 34 new security patches this quarter, with 3 vulnerabilities remotely exploitable without authentication. Notably, the highest CVSS v3.1 Base Score for MySQL reaches 9.8 — a critical severity rating — significantly higher than many prior quarters.
The most severe MySQL vulnerability is CVE-2025-15467, found in the Enterprise Backup component of MySQL Enterprise Backup. Successful exploitation can result in remote code execution.
Affected MySQL product lines include:
MySQL Server 8.0.0–8.0.45, 8.4.0–8.4.8, 9.0.0–9.6.0
MySQL Cluster 8.0.0–8.0.44, 8.4.0–8.4.7, 9.0.0–9.5.0
MySQL Enterprise Backup 8.0.0–8.0.45, 8.4.0–8.4.8, 9.0.0–9.6.0
MySQL Shell 8.0.0–8.0.45, 8.4.0–8.4.8, 9.0.0–9.6.0
Oracle Virtualization (VirtualBox)
Oracle’s Virtualization product family also received security patches in this cycle. Oracle VM VirtualBox users should apply the latest patch to address vulnerabilities, including those that are remotely exploitable without authentication, with CVSS scores up to 7.5.
Oracle recommends updating to the latest supported VirtualBox release. Users still running the VirtualBox 7.1 series should be aware that the 7.1 branch is approaching end-of-life and Oracle encourages migration to the VirtualBox 7.2 series for continued security support.
Oracle Communications: Highest Patch Volume at 139 Fixes
The Oracle Communications family dominated this quarter’s update with 139 security patches — accounting for 28.9% of all patches issued. Of these, 91 vulnerabilities can be exploited without authentication over a network. Several CVEs carry scores of 9.8, 9.6, and 9.1 and could lead to remote code execution if successfully exploited.
Oracle Financial Services Applications followed with 75 patches, and Oracle Fusion Middleware received 59 patches, including critical-severity CVEs with scores of 9.8 and 9.1.
Oracle Database Server: 8 New Patches
Oracle Database Server received 8 new security patches this quarter. Four of these vulnerabilities may be remotely exploited without authentication. The highest CVSS v3.1 Base Score is 7.5. Affected database versions span Oracle Database Server 19.3–19.30, 21.3–21.21, and 23.4.0–23.26.1.
Severity Breakdown
The full distribution of the 481 patches by severity is as follows:
| Severity | Patches Issued | Unique CVEs | Share of Total |
|---|---|---|---|
| Critical | 34 | 22 | 7.1% |
| High | 221 | 99 | 45.9% |
| Medium | 212 | 107 | 44.1% |
| Low | 14 | — | 2.9% |
Fact-Check: Circulating Summary Accuracy
A widely circulated summary of this CPU contained several inaccuracies. The table below documents key claims against verified information from Oracle’s official advisory and security researchers:
| Claim | Circulating Summary | Verified Fact | Verdict |
|---|---|---|---|
| Release date | April 22, 2026 | April 21, 2026 | Incorrect |
| Total patch count | 481 vulnerabilities | 481 patches / 241 unique CVEs | Misleading |
| Java SE patch count | 11 new vulnerabilities | 12 new security patches | Incorrect |
| Java SE remotely exploitable | 7 of 11 | 8 of 12 | Incorrect |
| Java SE max CVSS | 7.5 | 7.5 | Correct |
| MySQL patch count | 34 new vulnerabilities | 34 new security patches | Correct |
| MySQL max CVSS | Implied 7.5 | 9.8 (critical) | Incorrect |
| Java SE affected versions | Listed patched versions as vulnerable | Affected: 8u481, 11.0.30, 17.0.18, 21.0.10, 25.0.x, 26 | Incorrect |
Recommended Actions
Oracle strongly recommends that all customers apply Critical Patch Update patches as soon as possible. Administrators should prioritize:
1. Oracle Communications — The largest attack surface this cycle, with 93 of 139 patches addressing remotely exploitable, unauthenticated vulnerabilities and CVSS scores up to 9.8.
2. Oracle MySQL Enterprise Backup — CVE-2025-15467 carries a CVSS score of 9.8 and enables remote code execution.
3. Oracle Java SE — 8 of 12 patched vulnerabilities are remotely exploitable. Update all affected JDK and JRE installations to the fixed versions (8u491, 11.0.31, 17.0.19, 21.0.11, 25.0.3, or 26.0.1).
4. Oracle Fusion Middleware and Financial Services — Both families contain critical vulnerabilities with code execution potential.
The next Oracle Critical Patch Update is scheduled for release on Tuesday, July 21, 2026.
“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update patches as soon as possible.”
— Oracle Critical Patch Update Advisory, April 2026The full advisory, risk matrices, and patch download links are available at Oracle’s official security alerts page: oracle.com/security-alerts/cpuapr2026.html
