STARTING this month, Oracle is supplementing its quarterly Critical Patch Update (CPU) fixes with monthly security releases focused on high-priority vulnerabilities. The first monthly CSPU will roll out on 28 May 2026, addressing critical-severity vulnerabilities in the company’s products, followed by a second CSPU on 16 June 2026 and a third on 18 August 2026. In July, Oracle will release the usual quarterly CPU, which will contain both fixes for new security defects and the patches included in the prior CSPUs.
This approach enables customers in customer-managed environments to reduce exposure by applying critical fixes sooner, without waiting for the next quarterly cycle. Oracle says the move to a faster patch rollout is driven by the broad adoption of AI across its environments to aid with code analysis, security testing, and vulnerability detection.