Oracle Solaris Third Party Bulletin - January 2026
Description
The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.
Patch Availability
- For Solaris 11.4, please visit My Oracle Support Note KB161496
- For other Solaris versions in Extended Support or Out of Support, please visit My Oracle Support Note CPU57
Third Party Bulletin Schedule
Third Party Bulletins are released on the third Tuesday of January, April, July, and October. The next four dates are:
- 21 April 2026
- 21 July 2026
- 20 October 2026
- 19 January 2027
References
- Oracle Critical Patch Updates, Security Alerts and Bulletins
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions
- Risk Matrix Definitions
- Use of Common Vulnerability Scoring System (CVSS) by Oracle
- Map of CVE to Bulletin
Modification History
| Date | Note |
|---|---|
| 2026-February -20 | Rev 2. Added CVEs fixed in Solaris 11.4 SRU 90 |
| 2026-January -20 | Rev 1. Initial Release |
Oracle Solaris Executive Summary
This Oracle Solaris Bulletin contains 69 new security patches for the Oracle Solaris Operating System. 34 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Solaris Third Party Bulletin Risk Matrix
Revision 2: Published on 2026-02-20
| CVE ID | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2026-0716 | Oracle Solaris | libsoup | Multiple | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 11.4 | |
| CVE-2025-52885 | Oracle Solaris | Poppler | None | No | 8.4 | Local | Low | None | None | Un- changed |
High | High | High | 11.4 | |
| CVE-2025-14523 | Oracle Solaris | libsoup | Multiple | Yes | 8.2 | Network | Low | None | None | Un- changed |
Low | High | None | 11.4 | |
| CVE-2025-13601 | Oracle Solaris | GLib | None | No | 7.7 | Local | Low | None | None | Un- changed |
None | High | High | 11.4 | |
| CVE-2025-12642 | Oracle Solaris | Lighttpd | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | See Note 1 |
| CVE-2025-14177 | Oracle Solaris | PHP | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | See Note 2 |
| CVE-2025-59147 | Oracle Solaris | Suricata | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | High | None | 11.4 | |
| CVE-2025-59375 | Oracle Solaris | libexpat | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | |
| CVE-2025-61727 | Oracle Solaris | Go Programming Language | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | See Note 3 |
| CVE-2025-66418 | Oracle Solaris | Urllib3 | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | See Note 4 |
| CVE-2026-0719 | Oracle Solaris | libsoup | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | |
| CVE-2026-21945 | Oracle Solaris | JDK 8 | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | |
| CVE-2025-62229 | Oracle Solaris | X.Org | Multiple | No | 7.3 | Local | Low | Low | None | Un- changed |
Low | High | High | 11.4 | See Note 5 |
| CVE-2025-64505 | Oracle Solaris | LibPNG | None | No | 7.1 | Local | Low | None | Required | Un- changed |
None | High | High | 11.4 | See Note 6 |
| CVE-2025-66293 | Oracle Solaris | LibPNG | Multiple | Yes | 7.1 | Network | Low | None | Required | Un- changed |
Low | None | High | 11.4 | |
| CVE-2025-7709 | Oracle Solaris | SQLite3 | Multiple | No | 6.8 | Network | High | Low | None | Un- changed |
None | High | High | 11.4 | |
| CVE-2024-53589 | Oracle Solaris | GNU binary utilities | None | No | 6.6 | Local | Low | None | Required | Un- changed |
Low | Low | High | 11.4 | See Note 7 |
| CVE-2025-11563 | Oracle Solaris | libcurl | Multiple | No | 6.5 | Network | Low | Low | Required | Changed | Low | Low | Low | 11.4 | |
| CVE-2025-14512 | Oracle Solaris | GLib | Multiple | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | 11.4 | |
| CVE-2025-24528 | Oracle Solaris | Kerberos | Multiple | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 11.4 | |
| CVE-2025-55197 | Oracle Solaris | Manipulation Of Pdf Files | Multiple | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 11.4 | |
| CVE-2025-61911 | Oracle Solaris | Ldap Client Library For Python | Multiple | Yes | 6.5 | Network | Low | None | None | Un- changed |
Low | Low | None | 11.4 | See Note 8 |
| CVE-2025-68146 | Oracle Solaris | Platform Independent File Lock | None | No | 6.3 | Local | High | Low | None | Un- changed |
None | High | High | 11.4 | |
| CVE-2025-30219 | Oracle Solaris | RabbitMQ | None | No | 6.1 | Local | High | High | None | Changed | High | None | Low | 11.4 | |
| CVE-2025-61915 | Oracle Solaris | Common Unix Printing System (CUPS) | None | No | 6 | Local | Low | High | None | Changed | None | None | High | 11.4 | |
| CVE-2024-26458 | Oracle Solaris | Kerberos | Multiple | Yes | 5.9 | Network | High | None | None | Un- changed |
None | None | High | 11.4 | See Note 9 |
| CVE-2025-3576 | Oracle Solaris | Kerberos | Multiple | Yes | 5.9 | Network | High | None | None | Un- changed |
None | High | None | 11.4 | |
| CVE-2025-61962 | Oracle Solaris | Fetchmail | Multiple | Yes | 5.9 | Network | High | None | None | Un- changed |
None | None | High | 11.4 | |
| CVE-2025-62408 | Oracle Solaris | C-Ares Asychronous Dns Library | Multiple | Yes | 5.9 | Network | High | None | None | Un- changed |
None | None | High | 11.4 | |
| CVE-2025-14087 | Oracle Solaris | GLib | Multiple | Yes | 5.6 | Network | High | None | None | Un- changed |
Low | Low | Low | 11.4 | |
| CVE-2025-45582 | Oracle Solaris | GNU Tar | Multiple | Yes | 5.6 | Network | High | None | None | Un- changed |
Low | Low | Low | 11.4 | |
| CVE-2018-15853 | Oracle Solaris | XTerm | None | No | 5.5 | Local | Low | Low | None | Un- changed |
None | None | High | 11.4 | See Note 10 |
| CVE-2024-13978 | Oracle Solaris | LibTIFF | None | No | 5.3 | Local | Low | Low | None | Un- changed |
Low | Low | Low | 11.4 | See Note 11 |
| CVE-2024-47176 | Oracle Solaris | Common Unix Printing System (CUPS) | None | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | Low | None | 11.4 | See Note 12 |
| CVE-2025-62707 | Oracle Solaris | Manipulation Of Pdf Files | Multiple | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | None | Low | 11.4 | |
| CVE-2025-62708 | Oracle Solaris | Manipulation Of Pdf Files | Multiple | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | None | Low | 11.4 | See Note 13 |
| CVE-2025-62708 | Oracle Solaris | Manipulation Of Pdf Files | Multiple | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | None | Low | 11.4 | See Note 14 |
| CVE-2025-8851 | Oracle Solaris | LibTIFF | None | No | 5.3 | Local | Low | Low | None | Un- changed |
Low | Low | Low | 11.4 | |
| CVE-2025-58436 | Oracle Solaris | Common Unix Printing System (CUPS) | None | No | 5.1 | Local | High | None | None | Un- changed |
None | None | High | 11.4 | |
| CVE-2025-10148 | Oracle Solaris | libcurl | Multiple | Yes | 4.8 | Network | High | None | None | Un- changed |
Low | Low | None | 11.4 | See Note 15 |
| CVE-2025-62594 | Oracle Solaris | ImageMagick | None | No | 4.7 | Local | High | None | Required | Un- changed |
None | None | High | 11.4 | |
| CVE-2025-10158 | Oracle Solaris | RSYNC | Multiple | No | 4.3 | Network | Low | Low | None | Un- changed |
None | Low | None | 11.4 | |
| CVE-2025-8291 | Oracle Solaris | Python | Multiple | Yes | 4.3 | Network | Low | None | Required | Un- changed |
None | Low | None | 11.4 | |
| CVE-2025-57807 | Oracle Solaris | ImageMagick | None | No | 4.2 | Local | High | Low | Required | Un- changed |
Low | Low | Low | 11.4 | |
| CVE-2025-57812 | Oracle Solaris | Common Unix Printing System (CUPS) | None | No | 4 | Local | Low | None | None | Un- changed |
None | None | Low | 11.4 | See Note 16 |
| CVE-2025-9820 | Oracle Solaris | GnuTLS | None | No | 4 | Local | Low | None | None | Un- changed |
None | None | Low | 11.4 | |
| CVE-2025-64524 | Oracle Solaris | Common Unix Printing System (CUPS) | None | No | 3.3 | Local | Low | Low | None | Un- changed |
None | None | Low | 11.4 | |
| CVE-2025-8961 | Oracle Solaris | LibTIFF | None | No | 3.3 | Local | Low | Low | None | Un- changed |
None | None | Low | 11.4 | |
| CVE-2025-9165 | Oracle Solaris | LibTIFF | None | No | 3.3 | Local | Low | Low | None | Un- changed |
None | None | Low | 11.4 | |
| CVE-2025-9301 | Oracle Solaris | cmake | None | No | 3.3 | Local | Low | Low | None | Un- changed |
None | None | Low | 11.4 | |
| CVE-2025-9403 | Oracle Solaris | Command-line JSON Processor | None | No | 3.3 | Local | Low | None | Required | Un- changed |
None | None | Low | 11.4 | |
| CVE-2025-54314 | Oracle Solaris | Puppet | None | No | 2.8 | Local | High | Low | None | Changed | None | Low | None | 11.4 | |
| CVE-2025-8534 | Oracle Solaris | LibTIFF | None | No | 2.5 | Local | High | Low | None | Un- changed |
None | None | Low | 11.4 | |
| CVE-2025-6075 | Oracle Solaris | Python | None | No | 2.3 | Local | Low | High | None | Un- changed |
None | None | Low | 11.4 | |
Revision 1: Published on 2026-01-20
| CVE ID | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2025-10230 | Oracle Solaris | Samba | SMB | Yes | 10 | Network | Low | None | None | Changed | High | High | High | 11.4 | See Note 17 |
| CVE-2025-62168 | Oracle Solaris | Squid | HTTP | Yes | 10 | Network | Low | None | None | Changed | High | High | None | 11.4 | |
| CVE-2025-14321 | Oracle Solaris | Firefox | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 11.4 | See Note 18 |
| CVE-2025-14321 | Oracle Solaris | Thunderbird | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 11.4 | See Note 19 |
| CVE-2025-55753 | Oracle Solaris | Apache HTTP server | HTTP | No | 8.3 | Network | Low | Low | None | Un- changed |
High | High | Low | 11.4 | See Note 20 |
| CVE-2025-13499 | Oracle Solaris | Wireshark | None | No | 7.8 | Local | Low | None | Required | Un- changed |
High | High | High | 11.4 | See Note 21 |
| CVE-2025-11021 | Oracle Solaris | libsoup | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 11.4 | |
| CVE-2025-12105 | Oracle Solaris | libsoup | HTTP/2 | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | |
| CVE-2025-13372 | Oracle Solaris | Django | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | See Note 22 |
| CVE-2025-5994 | Oracle Solaris | Unbound | DNS | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | High | None | 11.4 | |
| CVE-2019-18860 | Oracle Solaris | Squid | HTTP | Yes | 6.1 | Network | Low | None | Required | Changed | Low | Low | None | 11.4 | |
| CVE-2025-11411 | Oracle Solaris | Unbound | DNS | No | 6.1 | Adjacent<br>Network | High | None | None | Changed | None | High | None | 11.4 | |
| CVE-2025-11411 | Oracle Solaris | Unbound | DNS | No | 6.1 | Adjacent<br>Network | High | None | None | Changed | None | High | None | 11.4 | |
| CVE-2025-11626 | Oracle Solaris | Wireshark | None | No | 5.5 | Local | Low | None | Required | Un- changed |
None | None | High | 11.4 | See Note 23 |
| CVE-2025-61984 | Oracle Solaris | OpenSSH | None | No | 3.6 | Local | High | Low | None | Un- changed |
Low | Low | None | 11.4 | See Note 24 |
Notes:
1. This patch also addresses CVE-2025-8671.2. This patch also addresses CVE-2025-14178 CVE-2025-14180.
3. This patch also addresses CVE-2025-61729.
4. This patch also addresses CVE-2025-66471.
5. This patch also addresses CVE-2025-62230 CVE-2025-62231.
6. This patch also addresses CVE-2025-64506 CVE-2025-64720 CVE-2025-65018.
7. This patch also addresses CVE-2024-57360 CVE-2025-0840 CVE-2025-1147 CVE-2025-1148 CVE-2025-1149 CVE-2025-1150 CVE-2025-1151 CVE-2025-1152 CVE-2025-1153 CVE-2025-1176 CVE-2025-1178 CVE-2025-1179 CVE-2025-1180 CVE-2025-1181 CVE-2025-1182 CVE-2025-5244 CVE-2025-5245.
8. This patch also addresses CVE-2025-61912.
9. This patch also addresses CVE-2024-26461 CVE-2024-26462.
10. This patch also addresses CVE-2018-15859 CVE-2018-15861 CVE-2018-15863.
11. This patch also addresses CVE-2025-8176 CVE-2025-8177 CVE-2025-9900.
12. This patch also addresses CVE-2025-58364.
13. This patch also addresses CVE-2025-66019.
14. This patch also addresses CVE-2025-66019.
15. This patch also addresses CVE-2025-9086.
16. This patch also addresses CVE-2025-64503.
17. This patch also addresses CVE-2025-9640.
18. This patch also addresses CVE-2025-14322 CVE-2025-14323 CVE-2025-14324 CVE-2025-14325 CVE-2025-14328 CVE-2025-14329 CVE-2025-14330 CVE-2025-14331 CVE-2025-14333.
19. This patch also addresses CVE-2025-14322 CVE-2025-14323 CVE-2025-14324 CVE-2025-14325 CVE-2025-14328 CVE-2025-14329 CVE-2025-14330 CVE-2025-14331 CVE-2025-14333.
20. This patch also addresses CVE-2025-58098 CVE-2025-59775 CVE-2025-65082 CVE-2025-66200.
21. This patch also addresses CVE-2025-13945 CVE-2025-13946.
22. This patch also addresses CVE-2025-64460.
23. This patch also addresses CVE-2025-9817.
24. This patch also addresses CVE-2023-51385 CVE-2025-32728 CVE-2025-61985.