Oracle’s first monthly patch release fixes 35 flaws, including 11 rated ‘critical’

Oracle's inaugural monthly Critical Security Patch Update (CSPU) resolves 35 vulnerabilities, including 11 deemed critical, with several having publicly available exploit code¹. The update addresses flaws in various Oracle products, such as Oracle REST Data Services, with specific CVEs including CVE-2026-46840, CVE-2026-46775, and CVE-2026-46839. Of the 35 vulnerabilities, 18 are rated high and 6 are rated medium. The critical flaws have the potential to significantly expand the attack surface, particularly for organizations with exposure to the affected Oracle products. This patch release marks a shift towards monthly updates, aiming to provide more timely fixes for urgent vulnerabilities. So what matters to practitioners is that they prioritize patching based on their specific exposure and evidence of exploitation, particularly for the critically-rated flaws, to mitigate potential attacks.