Oracle Patches 336 Vulnerabilities in January 2026 CPU

Oracle released its January 2026 Critical Patch Update today, addressing 336 security vulnerabilities across its product portfolio. Several flaws carry the maximum CVSS score of 10.0, affecting Oracle Commerce, Oracle Communications, Oracle Fusion Middleware, and Oracle PeopleSoft.

The quarterly security update lands on schedule—Oracle releases CPUs on the third Tuesday of January, April, July, and October. Organizations running Oracle products should treat this as an urgent patching priority given the severity ratings.

What's Most Critical

The worst vulnerabilities this quarter cluster in business-critical enterprise software:

Oracle Commerce received patches for flaws rated up to CVSS 10.0. The advisory notes that some vulnerabilities are "remotely exploitable without authentication"—meaning attackers need no credentials to exploit them. Commerce deployments exposed to the internet face the highest risk.

Oracle Communications also carries CVSS 10.0 vulnerabilities. Given the telecommunications sector's frequent targeting by state-sponsored actors—as recent Cisco Talos research on UAT-7290 demonstrates—communications infrastructure patches warrant immediate attention.

Oracle Fusion Middleware and Oracle PeopleSoft round out the maximum-severity list. PeopleSoft's widespread deployment in HR and finance makes it a high-value target. The "remotely exploitable without authentication" designation for some of these flaws creates a direct path from internet exposure to compromise.

Database and Java Updates

Oracle Database Server receives 7 patches with a highest CVSS of 7.4. Affected versions span 19.3-19.29, 21.3-21.20, and 23.4.0-23.26.0. Two vulnerabilities can be exploited remotely without authentication. Organizations should prioritize patching internet-facing database instances.

Oracle Java SE gets 11 patches, highest severity 7.5. All 11 can be exploited remotely without credentials. Affected versions: Java SE 8u471, 11.0.29, 17.0.17, 21.0.9, and 25.0.1. Client-side Java deployments face the greatest risk since browser-based and applet attacks can leverage these vulnerabilities.

MySQL: Critical 9.8 Severity

Oracle MySQL receives 20 patches with a highest CVSS of 9.8—nearly maximum severity. Seven vulnerabilities allow remote exploitation without authentication. Affected versions extend through MySQL 9.5.0.

MySQL's ubiquity makes this particularly concerning. The database powers countless web applications, and a remotely exploitable vulnerability with no authentication requirement presents an obvious target for automated scanning and exploitation.

Other Notable Products

Oracle GoldenGate gets 5 patches (highest CVSS 8.1), with 3 remotely exploitable without authentication. Organizations using GoldenGate for real-time data replication should patch promptly.

Oracle Graph Server and Client (versions 24.4.4, 25.4.0) receives 1 patch that requires authentication to exploit—lower priority than the unauthenticated vulnerabilities elsewhere.

Why This Matters

Oracle's enterprise software runs critical business processes at thousands of organizations worldwide. The sheer volume of patches—336 this quarter—reflects the complexity of securing such a broad product portfolio.

The concentration of CVSS 10.0 vulnerabilities across multiple products creates prioritization challenges. Security teams must assess which Oracle products they run, which are internet-exposed, and which handle the most sensitive data.

The "remotely exploitable without authentication" designation appearing repeatedly should set off alarms. Attackers scanning for vulnerable Oracle instances won't need stolen credentials or social engineering—just an unpatched server.

What You Should Do Now

1. Inventory your Oracle deployments and map them against the January 2026 CPU advisory
2. Prioritize internet-facing systems and any deployment carrying CVSS 9.0+ vulnerabilities
3. Apply patches immediately for Commerce, Communications, Fusion Middleware, and PeopleSoft instances with unauthenticated remote exploit potential
4. Monitor for exploitation attempts as details become public and attackers begin scanning

Oracle warns in its advisory that they "continue to receive reports of attempts to maliciously exploit vulnerabilities for which patches have already been released." Organizations that delay patching—particularly for remotely exploitable flaws—assume substantial risk.

The next Critical Patch Update arrives April 21, 2026.