Oracle Solaris Third Party Bulletin - April 2026
Description
The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated once after their release (i.e. one update between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.
Patch Availability
- For Solaris 11.4, please visit My Oracle Support Note KB161496
- For other Solaris versions in Extended Support or Out of Support, please visit My Oracle Support Note CPU57
Third Party Bulletin Schedule
Third Party Bulletins are released on the third Tuesday of January, April, July, and October. The next four dates are:
- 21 July 2026
- 20 October 2026
- 19 January 2027
- 20 April 2027
References
- Oracle Critical Patch Updates, Security Alerts and Bulletins
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions
- Risk Matrix Definitions
- Use of Common Vulnerability Scoring System (CVSS) by Oracle
- Map of CVE to Bulletin
Modification History
| Date | Note |
|---|---|
| 2026-April-21 | Rev 1. Initial Release |
Oracle Solaris Executive Summary
This Oracle Solaris Bulletin contains 23 new security patches for the Oracle Solaris Operating System. 20 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Solaris Third Party Bulletin Risk Matrix
Revision 1: Published on 2026-04-21
| CVE ID | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2025-56005 | Oracle Solaris | Lex/Yacc Parser For Python | Multiple | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 11.4 | |
| CVE-2026-2760 | Oracle Solaris | Thunderbird | Multiple | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 11.4 | See Note 1 |
| CVE-2026-2760 | Oracle Solaris | Firefox | Multiple | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 11.4 | See Note 2 |
| CVE-2026-2447 | Oracle Solaris | Firefox | Multiple | Yes | 8.8 | Network | Low | None | Required | Un- changed |
High | High | High | 11.4 | |
| CVE-2025-68121 | Oracle Solaris | Go Programming Language | None | No | 8.6 | Local | Low | None | Required | Changed | High | High | High | 11.4 | See Note 3 |
| CVE-2026-23949 | Oracle Solaris | Python Setuptools | Multiple | Yes | 8.6 | Network | Low | None | None | Changed | High | None | None | 11.4 | |
| CVE-2026-3497 | Oracle Solaris | OpenSSH | Multiple | Yes | 8.2 | Network | Low | None | None | Un- changed |
Low | High | None | 11.4 | |
| CVE-2025-14550 | Oracle Solaris | Django | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | See Note 4 |
| CVE-2026-0879 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.5 | Network | High | None | Required | Un- changed |
High | High | High | 11.4 | See Note 5 |
| CVE-2026-0879 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | High | None | Required | Un- changed |
High | High | High | 11.4 | See Note 6 |
| CVE-2026-23490 | Oracle Solaris | Asn.1 Types And Codecs | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | |
| CVE-2026-25673 | Oracle Solaris | Django | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | See Note 7 |
| CVE-2026-25679 | Oracle Solaris | Go Programming Language | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | See Note 8 |
| CVE-2026-27628 | Oracle Solaris | Pypdf | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | See Note 9 |
| CVE-2025-68121 | Oracle Solaris | Go Programming Language | Multiple | Yes | 7.4 | Network | High | None | None | Un- changed |
High | High | None | 11.4 | See Note 10 |
| CVE-2026-25990 | Oracle Solaris | Python Imaging Library (PIL) | Multiple | Yes | 7.3 | Network | Low | None | None | Un- changed |
Low | Low | Low | 11.4 | |
| CVE-2026-24049 | Oracle Solaris | Python Wheel | None | No | 7.1 | Local | Low | None | Required | Un- changed |
None | High | High | 11.4 | |
| CVE-2026-25749 | Oracle Solaris | VIM | None | No | 6.6 | Local | Low | Low | Required | Un- changed |
None | High | High | 11.4 | |
| CVE-2026-22690 | Oracle Solaris | Pypdf | Multiple | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | 11.4 | See Note 11 |
| CVE-2026-31826 | Oracle Solaris | Pypdf | Multiple | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | 11.4 | |
| CVE-2026-26269 | Oracle Solaris | VIM | Multiple | Yes | 5.4 | Network | Low | None | Required | Un- changed |
None | Low | Low | 11.4 | |
| CVE-2026-24688 | Oracle Solaris | Pypdf | Multiple | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | None | Low | 11.4 | |
| CVE-2026-3497 | Oracle Solaris | OpenSSH | Multiple | Yes | 5.3 | Network | Low | None | None | Un- changed |
Low | None | None | 11.4 | |
Notes:
1. This patch also addresses CVE-2026-2757 CVE-2026-2758 CVE-2026-2759 CVE-2026-2761 CVE-2026-2762 CVE-2026-2763 CVE-2026-2764 CVE-2026-2765 CVE-2026-2766 CVE-2026-2767 CVE-2026-2768 CVE-2026-2769 CVE-2026-2770 CVE-2026-2771 CVE-2026-2772 CVE-2026-2773 CVE-2026-2774 CVE-2026-2775 CVE-2026-2776 CVE-2026-2777 CVE-2026-2778 CVE-2026-2779 CVE-2026-2780 CVE-2026-2781 CVE-2026-2782 CVE-2026-2783 CVE-2026-2784 CVE-2026-2785 CVE-2026-2786 CVE-2026-2787 CVE-2026-2788 CVE-2026-2789 CVE-2026-2790 CVE-2026-2791 CVE-2026-2792 CVE-2026-2793.2. This patch also addresses CVE-2026-2757 CVE-2026-2758 CVE-2026-2759 CVE-2026-2761 CVE-2026-2762 CVE-2026-2763 CVE-2026-2764 CVE-2026-2765 CVE-2026-2766 CVE-2026-2767 CVE-2026-2768 CVE-2026-2769 CVE-2026-2770 CVE-2026-2771 CVE-2026-2772 CVE-2026-2773 CVE-2026-2774 CVE-2026-2775 CVE-2026-2776 CVE-2026-2777 CVE-2026-2778 CVE-2026-2779 CVE-2026-2780 CVE-2026-2781 CVE-2026-2782 CVE-2026-2783 CVE-2026-2784 CVE-2026-2785 CVE-2026-2786 CVE-2026-2787 CVE-2026-2788 CVE-2026-2789 CVE-2026-2790 CVE-2026-2792 CVE-2026-2793.
3. This patch also addresses CVE-2025-61732.
4. This patch also addresses CVE-2025-13473 CVE-2026-1207 CVE-2026-1285 CVE-2026-1287 CVE-2026-1312.
5. This patch also addresses CVE-2025-14327 CVE-2026-0877 CVE-2026-0878 CVE-2026-0880 CVE-2026-0882 CVE-2026-0883 CVE-2026-0884 CVE-2026-0885 CVE-2026-0886 CVE-2026-0887 CVE-2026-0890 CVE-2026-0891.
6. This patch also addresses CVE-2025-14327 CVE-2026-0877 CVE-2026-0878 CVE-2026-0880 CVE-2026-0882 CVE-2026-0883 CVE-2026-0884 CVE-2026-0885 CVE-2026-0886 CVE-2026-0891.
7. This patch also addresses CVE-2026-25674.
8. This patch also addresses CVE-2026-27137 CVE-2026-27138 CVE-2026-27139 CVE-2026-27142.
9. This patch also addresses CVE-2026-27024 CVE-2026-27025 CVE-2026-27026 CVE-2026-27888 CVE-2026-28351 CVE-2026-28804.
10. This patch also addresses CVE-2025-61726 CVE-2025-61728 CVE-2025-61730 CVE-2025-61731 CVE-2025-68119.
11. This patch also addresses CVE-2026-22691.