Oracle’s first monthly patch release fixes 35 flaws, including 11 rated ‘critical’
Summary
Oracle has released its first monthly Critical Security Patch Update (CSPU) for May 2026, addressing 35 vulnerabilities, including 11 rated as critical. Among these are several flaws with publicly available exploit code, some of which have been known for a considerable time, highlighting ongoing challenges with patching embedded open-source components.
IFF Assessment
The article details the release of numerous critical vulnerabilities, some with public exploits, which poses an immediate risk to organizations using Oracle products.
Severity
The article specifically mentions CVE-2026-46840 as having a perfect CVSS rating of '10', indicating a critical vulnerability that is likely exploitable and has a severe impact.
Defender Context
This release highlights the importance of timely patching for Oracle products, especially for vulnerabilities with public exploit code. Defenders should prioritize patching these critical flaws, as well as those with high CVSS scores and known exploits, to mitigate immediate risks.