Full Report
Oracle addresses 158 CVEs in its first quarterly update of 2026 with 337 patches, including 27 critical updates.Key takeaways:The first Critical Patch Update (CPU) for 2026, contains fixes for 158 unique CVEs in 337 security updates. 27 issues (8% of all patches) were assigned a critical severity rating. CVE-2026-21945, a high severity Server-Side Request Forgery (SSRF) vulnerability in Oracle Java was discovered by Tenable Research.BackgroundOn January 20, Oracle released its Critical Patch Update (CPU) for January 2026, the first quarterly update of 2026. This CPU contains fixes for 158 unique CVEs in 337 security updates across 30 Oracle product families. Out of the 337 security updates published this quarter, 8% of patches were assigned a critical severity. High severity patches accounted for the bulk of security patches at 45.7%, followed by medium severity patches at 42.4%.This quarter’s update includes 27 critical patches across 13 CVEs.SeverityIssues PatchedCVEsCritical2713High15467Medium14369Low139Total337158AnalysisThis quarter, the Oracle Zero Data Loss Recovery Appliance product family contained the highest number of patches at 56, accounting for 16.6% of the total patches, followed by Oracle Enterprise Manager at 51 patches, which accounted for 15.1% of the total patches.A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.Oracle Product FamilyNumber of PatchesRemote Exploit without AuthOracle Zero Data Loss Recovery Appliance5634Oracle Enterprise Manager5147Oracle E-Business Suite3833Oracle Java SE207Oracle MySQL1410Oracle PeopleSoft1411Oracle Systems141Oracle HealthCare Applications1210Oracle JD Edwards1210Oracle Hospitality Applications1111Oracle Retail Applications108Oracle Commerce87Oracle Communications82Oracle Financial Services Applications86Oracle Database Server72Oracle TimesTen In-Memory Database76Oracle Hyperion75Oracle Analytics66Oracle GoldenGate53Oracle Fusion Middleware53Oracle Siebel CRM51Oracle Supply Chain54Oracle Construction and Engineering44Oracle Health Sciences Applications44Oracle APEX10Oracle Essbase11Oracle Graph Server and Client10Oracle Key Vault10Oracle NoSQL Database11Oracle Secure Backup11Tenable Research discoveryAs part of the January CPU, Oracle addressed CVE-2026-21945, a high severity Server-Side Request Forgery (SSRF) vulnerability in Oracle Java that is remotely exploitable without authentication. When successfully exploited, it can be leveraged to exhaust resources, causing a denial-of-service (DoS) condition. You can read more about the discovery in our blog post and in our Tenable Research Advisory (TRA).SolutionCustomers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the January 2026 advisory for full details.Identifying affected systemsA list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.Get more informationTenable Blog: Tenable Discovers SSRF Vulnerability in Java TLS Handshakes That Creates DoS RiskTenable Research Advisory: TRA-2026-03Oracle Critical Patch Update Advisory - January 2026Oracle January 2026 Critical Patch Update Risk MatricesOracle Advisory to CVE MapJoin Tenable's Research Special Operations (RSO) Team on Tenable Connect and engage with us in the Threat Roundtable group for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Analysis Summary
# Vulnerability: Oracle January 2026 CPU Summary (158 CVEs Total)
## CVE Details
- CVE ID: Varies (158 unique CVEs addressed)
- CVSS Score: Not uniformly provided in summary, but 27 Critical updates identified.
- CWE: Not detailed for all CVEs.
## Affected Systems
- Products: 30 Oracle product families patched, including Oracle Zero Data Loss Recovery Appliance, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Java SE, Oracle MySQL, Oracle PeopleSoft, and many others.
- Versions: Not specified for individual CVEs, but applies to products supported by the January 2026 Critical Patch Update (CPU).
- Configurations: Varies by product. The most heavily patched product family was Oracle Zero Data Loss Recovery Appliance (56 patches).
## Vulnerability Description
This summary covers Oracle's January 2026 Critical Patch Update (CPU), which addresses 158 unique Common Vulnerabilities and Exposures (CVEs) across 337 security updates. The patches range in severity, with 27 marked as Critical (8% of total updates) and 45.7% rated as High severity.
**Featured Vulnerability (CVE-2026-21945):**
This is a **High Severity Server-Side Request Forgery (SSRF)** vulnerability discovered in **Oracle Java**. When successfully exploited, it can lead to resource exhaustion, resulting in a Denial-of-Service (DoS) condition.
## Exploitation
- Status: Details for individual CVEs vary. **CVE-2026-21945 (Java SSRF) is remotely exploitable without authentication.** No general exploitation status for all 158 CVEs is provided.
- Complexity: For CVE-2026-21945, it is indicated as remotely exploitable without authentication, suggesting potentially lower complexity for that specific flaw.
- Attack Vector: Varies. For CVE-2026-21945, the vector is **Network** access due to the SSRF nature and lack of required authentication.
## Impact
- Confidentiality: Varies by CVE.
- Integrity: Varies by CVE.
- Availability: For **CVE-2026-21945**, the impact includes resource exhaustion leading to a **DoS condition**.
## Remediation
### Patches
- Customers must apply **all relevant patches** included in the **January 2026 Critical Patch Update (CPU)** from Oracle. (Specific patch versions are located in the main advisory).
### Workarounds
- No specific workarounds for the 158 CVEs or CVE-2026-21945 are detailed in this summary. Immediate patching is the primary recommendation.
## Detection
- Detection methods include using Tenable plugins designed to identify coverage for the January 2026 CPU vulnerabilities as they are released.
- Specific details for Tenable plugins can be found via a defined search filter link in the reference section.
## References
- Vendor Advisory: hxxps://www.oracle.com/security-alerts/cpujan2026.html
- Risk Matrices: hxxps://www.oracle.com/security-alerts/cpujan2026verbose.html
- Advisory to CVE Map: hxxps://www.oracle.com/security-alerts/public-vuln-to-advisory-mapping.html
- Tenable Blog (Java SSRF): hxxps://www.tenable.com/blog/tenable-discovers-ssrf-vulnerability-in-java-tls-handshakes-that-creates-dos-risk
- Tenable Research Advisory (TRA-2026-03): hxxps://www.tenable.com/security/research/tra-2026-03