#1
Expediting how Oracle delivers critical fixes for customer-managed environments
Oracle is expanding how security fixes are delivered to customers with a monthly Critical Security Patch Update (CSPU), starting in May 2026. CSPUs provide targeted fixes for critical security issues, allowing customers to address high-priority vulnerabilities without waiting for the next quarterly release. Each CSPU is smaller and more focused, making it easier to apply critical fixes quickly. Quarterly Critical Patch Updates will continue to include all fixes released in prior CSPUs.
This approach enables customers to apply critical fixes more quickly on premises, while continuing to support established quarterly patching cycles through cumulative updates. All patches are applied automatically in Oracle-managed cloud environments.
What this means for customers
Security depends on identifying vulnerabilities quickly and applying fixes just as quickly. Oracle is using AI, including frontier models, to improve how issues are found and to accelerate how fixes are delivered, including the introduction of monthly CSPUs. For customers, maintaining security means staying on supported software and keeping systems up to date with patches. Moving to Oracle Cloud can simplify this significantly by shifting patching and much of the operational burden to Oracle, helping keep systems secure and current with less effort.
Posted from: https://blogs.oracle.com/security/accelerating-vulnerability-detection-and-response-at-oracle
#2
To protect your Oracle database estate from these new AI-enabled threats, Oracle strongly recommends that you upgrade the major version of your databases to either Oracle Database 19c or Oracle AI Database 26ai. These versions contain all of our security patches – including some that were found internally by Oracle and have never been published externally. They are also architecturally much more hardened against security exploits than older database versions, making them less vulnerable to new or evolving security threats.
Oracle also strongly recommends that customers apply very recent quarterly Release Updates (RUs) to their databases. In the short term, customers should test and apply the April 2026 RUs (19.31 or 23.26.2). We also recommend that customers plan to promptly apply the upcoming July 2026 RUs (19.32 or 23.26.3) since these will be the first quarterly updates that we publish after testing with the new AI models.
#3
As you already could read in Accelerating Vulnerability Detection and Response at Oracle, there may be monthly CSPUs available from May onward. Whether we repurpose the MRPs, or whether there will be another vehicle, I don’t know:
Oracle is expanding how security fixes are delivered to customers with a monthly Critical Security Patch Update (CSPU), starting in May 2026. CSPUs provide targeted fixes for critical security issues, allowing customers to address high-priority vulnerabilities without waiting for the next quarterly release. Each CSPU is smaller and more focused, making it easier to apply critical fixes quickly. Quarterly Critical Patch Updates will continue to include all fixes released in prior CSPUs.
Well, and this concept may sound familiar, right? We’ve had CPUs a longer while back in conjunction with PSUs and then BPs. But these new ones will be released monthly, and let us wait together for the amount of content they will include.
But you should be positively aware that MRPs (Monthly Recommended Patches) are available already on Linux for Oracle Database 19c, and those contain security fixes already on a monthly cadence.
Summary
We live in interesting times. Every day seems to being a new challenge, something quite unexpected, and something which sound like impossible fiction a year ago. You can’t stop that, I can’t stop it either. Be we need to adept to it. So, for you, task #1 is to upgrade to 19c and 26ai where you haven’t done already. Watch your clients, ask us if you need help or advice.
Then start setting up your automated patching with AutoUpgrade right away. Of course, you can use also FPP or the OEM package if you are licensed for either one. But do something now, don’t sit it out.
Take this serious – I didn’t write this to scare you. It is real (unfortunately).
Posted from: https://mikedietrichde.com/2026/05/04/patch-your-databases-against-ai-enabled-cybersecurity-threats/
#4
Posted from: https://mikedietrichde.com/2026/05/04/patch-your-databases-against-ai-enabled-cybersecurity-threats/
#5
Oracle Database 19c and Oracle AI Database 26ai Important Recommended One-off Patches