Summary and analysis of the first Oracles first monthly Critical Security Patch Update (CSPU)
Released Thursday, May 28, 2026
–URGENT ACTION RECOMMENDED–
5-minute read • For Waratek customers and prospects
Highlights
- Oracle has moved from quarterly to monthly & quarterly security patching. The first Critical Security Patch Update (CSPU) shipped on Thursday, May 28, 2026; subsequent CSPUs land on the third Tuesday of each month outside the quarterly CPU window.
- This first CSPU is targeted and compact: 35 new security patches across five product families – a deliberately smaller footprint than the 483-patch April CPU.
- Headline severity is a CVSS 10.0 in Oracle REST Data Services (ORDS) – the maximum possible score, unauthenticated, network-exploitable.
- Oracle E-Business Suite ships 12 patches with a max CVSS 9.9 – attacker focus on EBS remains high after October 2025’s Cl0p extortion campaign (CVE-2025-61882).
- Action: Waratek customers should contact [email protected] for RASP rule coverage; prospects can request a same-week protection assessment from [email protected].
What Changed: Oracle’s New Monthly Cadence
For more than two decades Oracle has shipped security fixes on a quarterly Critical Patch Update (CPU) rhythm. As of May 28, 2026, Oracle has introduced an additional, monthly Critical Security Patch Update (CSPU) stream that fills the gap between quarterly releases. The change is a direct response to a year in which Oracle products were targeted by ransomware operators (Cl0p / CVE-2025-61882) and Identity Manager flaws (CVE-2025-61757, CVE-2026-21992) reached CISA’s KEV catalog within days of disclosure.
How the two streams now fit together:
| Before May 2026 | From May 2026 onward | |
| Cadence | Quarterly only (Jan, Apr, Jul, Oct) | Quarterly CPU + monthly CSPU on the third Tuesday of Feb, Mar, May, Jun, Aug, Sep, Nov, Dec |
| Typical patch count | Several hundred patches per CPU (Apr 2026: 483) | CSPUs targeted and small (May 2026: 35) |
| Time-to-patch window | Up to ~90 days between releases | Up to ~30 days between releases |
| Relationship | Single mandatory stream | Quarterly CPUs still ship and include all prior CSPU fixes |
In practical terms: CSPUs are intended to be small, fast, and focused on the most attacker-relevant issues, while CPUs remain the broad-coverage quarterly release.
Customers who previously waited up to ~90 days for a critical fix can now expect one within ~30 days. The trade-off is more frequent change management – patch teams need a leaner, more repeatable test-and-deploy pipeline.
May 2026 CSPU at a Glance
| Product Family | New Patches | Unauth. RCE | Max CVSS | Notes |
| Oracle REST Data Services | 11 | 7 | 10.0 | Versions 24.2.0-26.1.0. Includes one bolded non-Oracle CVE (third-party). The headline 10.0 – top concern in this CSPU. |
| Oracle E-Business Suite | 12 | 3 | 9.9 | Versions 12.2.3-12.2.15. Continues a 7-month run of high-severity EBS fixes since Cl0p’s October 2025 zero-day. |
| Oracle Communications | 8 | 5 | 9.1 | Unified Assurance 6.1.1-7.0.0. ALL 8 are third-party component flaws (bolded non-Oracle CVEs). |
| Oracle Hospitality Apps | 1 | 1 | 9.8 | OPERA 5 Property Services. PCI-scope; remotely exploitable without auth. |
| Oracle Database Server | 3 | 3 | 9.0 | Versions 23.4.0-23.26.2. All apply to client-only installs (not server-side). |
Total: 35 new security patches across 5 product families. Two of those families carry vulnerabilities at CVSS 9.8 or higher, and one carries the maximum 10.0.
Waratek Analysis
1. The 30-day clock is now the patching reality
Even with monthly CSPUs, the operational gap between a vulnerability being publicly disclosed (often via the CVE feed or third-party trackers within hours of release) and a patch being live in production is the single largest determinant of breach risk. Quarterly patching gave attackers up to 90 days of dwell time against an unpatched flaw. Monthly patching cuts that to ~30 – but only for customers whose change-management pipeline can actually absorb 12 release cycles a year instead of 4.
For organizations that cannot realistically deploy patches within 30 days, the gap has to be closed with compensating runtime controls. This is where Waratek’s compiler-based RASP fits: it instantly applies immutable rules to block known exploit classes (deserialization, expression-language injection, SSRF, command injection). Virtual patching with no downtime required may also be available while the formal patch is being qualified.
2. Third-party component flaws keep dominating
Three of the five affected product families in this CSPU explicitly call out bolded non-Oracle CVEs – i.e., flaws in upstream open-source or industry-standard components. This continues the pattern visible across 2025-2026 Oracle CPUs (Apache Tika, Apache Commons Compress, OpenJPEG, libxml2, SQLite, OpenSSL, valkey). The same CVEs frequently appear in customers’ own Java applications, container base images, and microservices.
Practical implication: treat each Oracle CSPU as a free, curated dependency-vulnerability feed. If Oracle is patching a third-party component in their product, the same CVE almost certainly affects your bespoke services using the same library.
3. The first monthly CSPU is small. Don’t expect that to last.
35 patches is a deliberately tight first release. Historically, Oracle’s quarterly CPUs have grown over time (Apr 2026: 483 patches). Once CSPU becomes routine, we expect each monthly release to grow toward the 50-100 patch range, with quarterly CPUs continuing to act as the broad coverage release. Organizations should size their patch program for that steady state – not for the headline 35.
For More Information
Waratek customers should contact [email protected] for guidance on which RASP rules already cover CVEs in the May 2026 CSPU.
Prospects evaluating Waratek can request a protection assessment here.
Source advisory: https://www.oracle.com/security-alerts/cspumay2026.html
