Critical Security Patch Update June 2026 - TEN vulnerabilities with a CVSS Score 9

This is the second CSPU note since the monthly introduction by Oracle and the Enterprise Manager version 13.5 and 24ai are on the top list for systems to patch. According to Oracle Critical Security Patch Update Advisory - links is below - the Enterprise Manager Base Platform has 10 vulnerabilities with a score of nine and higher. As example, CVE-2026-46854 is for block privileged attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. Details: https://nvd.nist.gov/vuln/detail/cve-2026-46854 .

The solution: Apply Release Update 10 and the Holistic Patch June 2026. To apply holistic patch to update JDK (Oracle JDK 8 Update 491),Perl (PERL 5.40.2) and Co., first Release Update 10 must be applied. But no worry, if you do it in wrong order, OMSPatcher tool will tell you.

It will be interesting to see in future, how the new Oracle’s security strategy with CSPU will influence Oracle Enterprise Manager 24ai patching and if a Holistic Patch is now released more often as before the RU quarterly. For me it’s clear: PATCH YOUR OEM AS MUCH AS YOU CAN!

Documents

Oracle Critical Security Patch Update Advisory - June 2026: https://www.oracle.com/security-alerts/cspujun2026.html
My Oracle Support CPU175 - Critical Security Patch Update (CSPU) Program June 2026 Patch Availability Document (EM-only) - Section 2.2
Release Update 10 brings us three improvements: https://docs.oracle.com/en/enterprise-manager/cloud-control/enterprise-manager-cloud-control/24.1/emcon/new-features-release.html#GUID-8C554A89-42BA-4F30-8567-7451C24A307E

Patch List

This is the full list of patches. For OMSPatcher and OPatch, verify your installed version first - only update if below the required minimum. According README for Release Update 10, minimal version is:

OMSPatcher version 13.9.24.14.0 or later
OPatch version 13.9.4.2.20 or later

In my case running RU09, OPatch was already at the required version - no update needed.

My Oracle Support Patch Names

Patch Name	Description
39193593	Oracle Enterprise Manager 24ai Release 1 Update 10 (24.1.0.10) for Oracle Management Service (Patch)
39521129	Oracle Enterprise Manager 24ai Release 1 Holistic Patch for Oracle Management Service - June 2026 (Patch)
19999993	OMSPatcher patch of version 13.9.24.14.0 for Enterprise Manager 24.1.0.0.0 (Patch)
28186730	OPATCH 13.9.4.2.23 FOR EM 13.5/24.1 AND FMW/WLS 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 AND IDM 14.1.2.1 (Patch)

My Lab Setup

Oracle Enterprise Manager 24ai Release Update 9 Standalone
Oracle Linux Server Release 9.7
Running on Compute Instance in Oracle Cloud Infrastructure OCI
Directory for WLS keys and config for simplified OMSPatcher patching: /u01/app/oracle/admin/em24ai
Software stage directory /u01/app/oracle/stage

Step 1 - Backup first

Ensure, OMS and Repository(RMAN or Flashback Database Guarantee Restore Point) have a current backup. For OMS:

$ export ORACLE_HOME=/u01/app/oracle/middleware/oms_home
$ mkdir /u01/app/oracle/admin/em24ai/backup
$ emctl exportconfig oms -dir /u01/app/oracle/admin/em24ai/backup

Step 2 - OMSPatcher - required 13.9.24.14.0

Verify current version

$ $ORACLE_HOME/OMSPatcher/omspatcher version
OMSPatcher Version: 13.9.24.13.0
OPlan Version: 12.2.0.1.16
OsysModel build: Tue Apr 28 18:16:31 PDT 2020

OMSPatcher succeeded.

Download Patch 19999993: OMSPatcher patch of version 13.9.24.14.0 for Enterprise Manager 24.1.0.0.0 and transfer to target host stage directory.

Transfer patch file to stage /u01/app/oracle/stage.

Replace OMSPatcher in ORACLE_HOME

Rename old directory, can be removed afterwards as not used anymore

$ export ORACLE_HOME=/u01/app/oracle/middleware/oms_home
$ cd $ORACLE_HOME
$ mv OMSPatcher OMSPatcher_old

Copy and extract

$ cp /u01/app/oracle/stage/p19999993_241000_Generic.zip .
$ unzip p19999993_241000_Generic.zip 
$ rm p19999993_241000_Generic.zip

Verify new version

OMSPatcher Version: 13.9.24.14.0
OPlan Version: 12.2.0.1.16
OsysModel build: Tue Apr 28 18:16:31 PDT 2020

OMSPatcher succeeded.

Step 3 - Oracle Enterprise Manager 24ai Release 1 Update 10 (24.1.0.10) for Oracle Management Service (Patch)

Download Patch 39193593: Oracle Enterprise Manager 24ai Release 1 Update 10 (24.1.0.10) for Oracle Management Service (Patch) and transfer to target host stage directory.

Extract

$ cd /u01/app/oracle/stage/
$ unzip p39193593_241000_Generic.zip

Deploy Analyze

$ cd /u01/app/oracle/stage/39193593
$ $ORACLE_HOME/OMSPatcher/omspatcher deploy -analyze -property_file /u01/app/oracle/admin/em24ai/etc/24ai.properties

For information about how to create a property file, refer to Section 10 Appendix in patch README how to do it.

The -analyze option verifies the patch and compares installed version. You would see any compatibility issues here. Wait for OMSPatcher succeeded output.

Deploy

$ $ORACLE_HOME/OMSPatcher/omspatcher deploy -property_file /u01/app/oracle/admin/em24ai/etc/24ai.properties

Without -analyze flag, the job performs pre-downtime tasks, prepares the new ORACLE_HOMEs (cloneExtOMSHome_24100 and cloneOMSHome_24100), generates SQL edition and does required steps for update. Do not forget to confirm to proceed.

Update

$ $ORACLE_HOME/OMSPatcher/omspatcher update -property_file /u01/app/oracle/admin/em24ai/etc/24ai.properties

It performs downtime activities, does the patching, switches SQL edition and brings up the OMS again. Wait for OMSPatcher succeeded output.

Verification

Screenshot User Interface: SYSMAN -> About Enterprise Manager.

By OMSPatcher:

$ORACLE_HOME/OMSPatcher/omspatcher lspatches | grep "Platform Update"
oracle.sysman.top.oms/24.1.0.0.0                  Core                39193593            39193438            Oracle Enterprise Manager 24ai Release 1 Platform Update 10 (24.1.0.10) for Oracle Management Service

Step 4 - Oracle Enterprise Manager 24ai Release 1 Holistic Patch for Oracle Management Service - June 2026 (Patch)

Download Patch 39521129: Oracle Enterprise Manager 24ai Release 1 Holistic Patch for Oracle Management Service - June 2026 (Patch) and transfer to target host stage directory.

Extract

$ cd /u01/app/oracle/stage/
$ unzip p39521129_241000_Generic.zip

Apply

$ORACLE_HOME/OMSPatcher/omspatcher apply /u01/app/oracle/stage/39521129 -spb_patch

As underlying components are updated, a OMS downtime is created,

Verification

By OMSPatcher:

$ORACLE_HOME/OMSPatcher/omspatcher lspatches | grep 39521129
N/A                 39522703            EM Stack Patch Bundle 24.1.0.0.0(ID:260608.1151) (Patch 39521129)

Step 5 - Anything else?

Sure, there are more steps to do:

Patch your Agents by Plan or Gold Image
Track CSPU monthly for upcoming patches and releases

Summary

Oracle Enterprise Manager is the control plane for your databases. If it is compromised, everything it manages is at risk. Ten vulnerabilities with a CVSS score of 9 and higher is not something you ignore.

The process: update OMSPatcher, apply Release Update 10, apply the Holistic Patch. That is it. OMSPatcher handles the heavy lifting - it verifies, prepares, patches and brings OMS back up on its own. You just need a maintenance window.

Oracle now ships a Holistic Patch every month alongside the CSPU. That means patching OEM is no longer a once-a-quarter thing - it is a monthly routine. Build it into your schedule. The effort is low, the risk of NOT doing it is not.

PATCH YOUR OEM. Often. No excuses!