Oracle Patches 481 Vulnerabilities in April Critical Patch Update

Oracle released 481 security patches as part of its April 2026 Critical Patch Update, addressing approximately 450 unique CVEs across 28 product families. More than 300 of these vulnerabilities are remotely exploitable without authentication, making this one of the largest quarterly updates in recent memory.

Scale of the Update

The sheer volume of patches demands immediate attention from enterprises running Oracle infrastructure. Three dozen fixes resolve critical-severity defects, with several carrying CVSS scores of 9.8, 9.1, and 9.0 respectively.

Products Receiving Most Patches

Product Family	Total Patches	Remote Exploitable (No Auth)
Oracle Communications	139	93
Financial Services Applications	75	59
Fusion Middleware	59	46
MySQL	34	3
PeopleSoft	21	7

Additional products receiving significant updates include E-Business Suite, Analytics, Retail Applications, Siebel CRM, Java SE, GoldenGate, and Enterprise Manager, each with 8-18 patches.

Vulnerability Age Distribution

Security teams tracking vulnerability management metrics will note that roughly 390 of the patched vulnerabilities were publicly disclosed within the past two years. Most remaining fixes address issues from 2022-2024, but five vulnerabilities date back to 2020-2021. Organizations running older Oracle installations may have been exposed to these flaws for over half a decade.

This long tail of vulnerability remediation underscores why continuous patch management matters. A system that was "up to date" three years ago may still harbor multiple remotely exploitable flaws.

Context: Recent Oracle Security Issues

This CPU follows an emergency out-of-band patch released last month for CVE-2026-21992, a critical remote code execution vulnerability affecting Oracle Identity Manager and Web Services Manager. That patch was released ahead of schedule after active exploitation was detected.

Organizations that have fallen behind on Oracle patching should review the January 2026 CPU as well to ensure no gaps exist. The cumulative exposure from multiple missed patch cycles can create significant attack surface.

Oracle Communications Dominance

The 139 patches for Oracle Communications products stand out. With 93 of those remotely exploitable without authentication, telecommunications providers and enterprises using Oracle's communication stack face substantial exposure.

These products often handle sensitive call records, subscriber data, and billing information—exactly the kind of data that attracts both state-sponsored actors and financially motivated attackers targeting data breaches.

Patch Prioritization

Given the volume, organizations need to prioritize. Focus first on:

1. Internet-facing systems running affected Oracle products
2. Authentication and identity infrastructure (Oracle Identity Manager, Access Manager)
3. Financial Services applications processing sensitive transactions
4. Fusion Middleware components in production environments

For vulnerability tracking guidance, CISA's Known Exploited Vulnerabilities catalog can help identify which flaws are actively targeted in the wild.

Recommendations

1. Inventory Oracle deployments across the enterprise before patching
2. Prioritize by exposure - Internet-facing and authentication systems first
3. Test in staging - Oracle patches occasionally cause compatibility issues
4. Verify patch application - Confirm patches are actually installed, not just scheduled
5. Review legacy systems - Identify any Oracle installations that have missed previous CPUs

The quarterly CPU cycle means organizations have roughly three months before the next major update. Given the 300+ remotely exploitable vulnerabilities in this release, waiting is not advisable. Attackers routinely reverse-engineer Oracle patches to develop exploits within days of release.