We hear more and more about the benefits of using AI models in terms of efficiency and speed innovation for the software industry. One thing that we also started hearing last month is that new models also offer new ways to exploit security vulnerabilities by bad actors.
Oracle Database Engineering is actively working with leading AI model providers in order to continuously discover vulnerabilities using advanced AI techniques to rapidly remediate and deliver fixes via the existing database release updates.
What does this mean to you?
Patch, patch and patch TODAY!
You must apply the quarterly release update (RU) promptly, this is RU31 for 19c (19.31) or RU2 for 26ai (23.26.2). If you are not in 19c or 26ai yet you must upgrade your database as soon as possible. Also make sure your client libraries are upgraded to 19c or 26ai.
Changes are also coming on the way and frequency Oracle delivers security patches. From the Accelerating Vulnerability Detection and Response blog:
Oracle is expanding how security fixes are delivered to customers with a monthly Critical Security Patch Update (CSPU), starting in May 2026. CSPUs provide targeted fixes for critical security issues, allowing customers to address high-priority vulnerabilities without waiting for the next quarterly release. Each CSPU is smaller and more focused, making it easier to apply critical fixes quickly. Quarterly Critical Patch Updates will continue to include all fixes released in prior CSPUs.
This approach enables customers to apply critical fixes more quickly on premises, while continuing to support established quarterly patching cycles through cumulative updates. All patches are applied automatically in Oracle-managed cloud environments.
Review recent communication information
This information is now available through several channels including blog posts & MOS.
- Oracle Support knowledge article PNEWS3015
- Accelerating Vulnerability Detection and Response at Oracle
- Take Action Today: Protect Your Oracle Database Against AI-Enabled Cybersecurity Threats
- Patch your databases against AI-enabled cybersecurity threats
What can you do to patch easier & faster?
As Mike Dietrich mentioned is his post, we live in an interesting and challenging era that we can’t stop but we should rather be prepared. For Oracle Database Administrators this means to have all your Oracle databases upgraded and patched to either 19.31 or 23.26.2. Patch NOW!
To make this process easier use automation tools like Oracle AutoUpgrade, FPP or Oracle Database Lifecycle Management in OEM.
If you have additional questions contact your Oracle Sales representative or your Oracle Architect.
UPDATE (May 5th):
Integrated Cyber Center issued a note on the upcoming CSPUs.
Beginning May 28, 2026, Oracle will deliver a Critical Security Patch Update (CSPU) each month. CSPUs provide targeted fixes for critical vulnerabilities in a smaller, more focused format, allowing customers to address high-priority issues without waiting for the next quarterly release.
Support has also issued Product-Specific guidance notes. I recommend to take a look at the general note as there are links to several specific products:
Thanks,
Alfredo