- 11/2026
- High
Oracle released its patch update for January 2026, containing 337 new security patches for multiple affected products in Oracle and third-party components.
The addressed vulnerabilities could allow the attacker to perform various attacks, such as obtaining sensitive information, conducting denial of service attacks, performing data manipulation, or executing arbitrary code and gaining access to the affected systems.
Sample of the addressed vulnerabilities:
1. Oracle VM VirtualBox Takeover Vulnerability (CVE-2026-21990):
- CVSS: 8.2
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Gain Access
2. Oracle FLEXCUBE Investor Servicing Security Management System Vulnerability (CVE-2026-21973):
- CVSS: 8.1
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Data Manipulation
Sample of the affected products:
- Oracle VM VirtualBox.
- Oracle Planning and Budgeting Cloud Service.
- Oracle Database Enterprise Edition.
- Oracle Agile Product Lifecycle Management for Process.
- Oracle Banking Corporate Lending Process Management.
- Oracle Financial Services Model Management and Governance.
The complete list of the affected products: Oracle Advisory – January 2026
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.