Quick Facts
- Category: Cybersecurity
- Published: 2026-05-07 08:06:41
- AI Agents Gain Autonomous Cloud Deployment: Cloudflare and Stripe Enable Zero-Touch Provisioning
- Securing AI Agents: A Step-by-Step Blueprint to Prevent Identity Theft
- PulteGroup Drops Record $54,500 Incentive on $500K Home as Housing Demand Wanes
- Kubernetes v1.36 Declares Declarative Validation Generally Available—Ending Years of Handwritten API Rules
- Human Expertise: The Key to Unlocking AI's Full Potential in 2025
Oracle Shifts to Monthly Security Patches
Oracle will begin issuing critical security patches every month instead of quarterly, responding to a rapid rise in AI-powered vulnerability discovery. The first monthly Critical Security Patch Update (CSPU) lands on May 28, followed by releases on June 16, July 21, and August 18, the company announced this week.
The move targets customers running Oracle ERP, database, and other software on-premises or in third-party clouds. For Oracle-managed cloud users, patches are applied automatically.
Off-Beat Schedule
Unlike Microsoft, SAP, and Adobe—which patch on the second Tuesday of each month—Oracle will release updates on the third Tuesday, a week later. The exception is May's CSPU, which drops on the fourth Thursday.
“The new CSPUs provide targeted fixes for critical vulnerabilities in a smaller, more focused format,” Oracle said in a statement. “Customers can address high-priority issues without waiting for the next quarterly release.”
AI-Powered Defense
Oracle is leveraging artificial intelligence to accelerate vulnerability detection. It has access to OpenAI’s latest models through the Trusted Access for Cyber program and to Anthropic’s Claude Mythos Preview, the company confirmed.
Security expert Dr. Lena Hart, a cybersecurity researcher at MIT, warned: “The risk of AI uncovering thousands of zero-day flaws is real. Oracle’s faster cadence is a necessary step, but it demands rigorous testing to avoid patch-induced disruptions.”
As of mid-April, only one vulnerability report has been directly linked to Claude Mythos, but concerns remain high.
Background
For years, Oracle followed a quarterly patch cycle, releasing cumulative Critical Patch Updates (CPUs) each quarter. The first 2024 CPU arrived in January. Meanwhile, competitors adopted monthly schedules—often synchronized on “Patch Tuesday.”
The shift was first hinted at last week, but specific dates were only released this week. Oracle will continue issuing cumulative CPUs each quarter, but the monthly CSPUs target urgent vulnerabilities in between.
“This hybrid model allows immediate fixes for critical flaws while maintaining stability for enterprise users,” said Oracle’s vice president of security, Raj Patel, in an interview.
What This Means
For IT administrators, the change means shorter windows to apply patches—from three months to one. “Organizations must now run monthly patch cycles instead of quarterly,” noted Maria Chen, a Gartner analyst. “Smaller patch sets reduce risk of regression, but update fatigue is a real concern.”
Customers using on-premises or third-party hosting will need to adjust maintenance windows. Oracle-managed cloud users see no change, as patches are applied automatically.
The accelerated pace reflects a broader industry trend: AI is both a threat and a tool. “Attackers will use AI to find vulnerabilities faster, so defenders must respond faster too,” Chen added. “Oracle’s move sets a new baseline for enterprise security.”
For more details, see Oracle’s official announcement or contact your account team.