Oracle rolls out monthly security patch updates

Oracle is changing how its security fixes are delivered: starting in May 2026, there will be a monthly Critical Security Patch Update.

“Each [monthly] CSPU is smaller and more focused, making it easier to apply critical fixes quickly [to customer-managed deployments],” Oracle says.

Quarterly Critical Patch Updates (CPUs) remain in place and will continue to include all fixes released in prior CSPUs.

Managing security across environments

Protections and updates are applied automatically and continuously in Oracle-managed services.

In customer-managed environments, whether run on-premises or on Oracle Cloud Infrastructure, Oracle identifies vulnerabilities and provides patches for supported products, but customers are responsible for planning, testing, and applying updates.

“Keeping systems current with patches is one of the most direct ways to reduce risk. Applying updates in a timely manner helps limit exposure and maintain security over time,” the company noted.

“Upgrades and ongoing patching can be complex in large, highly integrated environments. Oracle provides resources including My Oracle Support, Technical Account Management, and Customer Success teams to help customers plan, test, and execute upgrades and stay current.”

As AI is transforming vulnerability discovery and remediation by increasing the speed and scale of identifying and fixing issues, Oracle is using the access it has to the newest AI models such as Anthropic’s Claude Mythos Preview and OpenAI’s most capable models through Trusted Access for Cyber to extend its own capabilities in that arena.

“Combined with our AI-enabled security operations, these capabilities are applied across Oracle-developed software and services, Oracle Health, and the open-source components we build and use in our products,” the company concluded.