Oracle’s January 2026 critical patch update fixes 158 CVEs

vm_admin
Oracle’s January 2026 critical patch update fixes 158 CVEs

By Research Special Operations
Publication Date: 2026-01-20 21:47:00

Oracle addresses 158 CVEs with 337 patches, including 27 critical updates, in its first 2026 quarterly update.

Table of Contents

Key Takeaways:

  1. The first Critical Patch Update (CPU) for 2026 includes fixes for 158 unique CVEs in 337 security updates.
  2. 27 issues (8% of all patches) were assigned critical severity.
  3. CVE-2026-21945, a high-severity Server-Side Request Forgery (SSRF) vulnerability in Oracle Java, was discovered by Tenable Research.

background

On January 20, Oracle released its Critical patch update (CPU) for January 2026the first quarterly update of 2026. This CPU includes fixes for 158 unique CVEs in 337 security updates across 30 Oracle product families. Of the 337 security updates released this quarter, 8% of patches were assigned a critical severity rating. High-severity patches accounted for the majority of security patches at 45.7%, followed by medium-severity patches at 42.4%.

This quarter’s update includes 27 critical patches for 13…

Related Posts

Permission Denied

Access to the specified URL has been denied due to permission restrictions. The content is related to Azul accelerating growth…