Oracle Database 19.31 Release Update – What DBAs Need to Know

DBA

Punit Oracle DBA

Database Architect · Core DBA · EBS · Cloud · Exadata

Oracle 19c Release Update April 2026 CPU Patching

Oracle Database 19.31 Release Update – What's Inside and What DBAs Need to Know

RU 19.31 (19.31.0.0.260421) is the April 2026 quarterly patch for Oracle Database 19c. It bundles the April 2026 CPU security fixes, cumulative bug fixes, and OJVM updates. Here is everything you need before your maintenance window.

📅 April 29, 2026 📋 Punit 🕑 ~8 min read

⚠ Availability Notice RU 19.31 was delayed from its original April 15 release date. The revised Linux ETA was April 28–May 1, 2026. Other platforms (Windows, AIX, Solaris) target May 12, 2026. The OJVM patch follows 2 days after the RU. Monitor MOS KB106822 (Note 888.1) for the current confirmed availability date before starting downloads.

1What Is RU 19.31?

Oracle Database Release Update 19.31.0.0.260421 is the quarterly cumulative patch for Oracle Database 19c, released in the April 2026 CPU cycle. Like all RUs, it is cumulative — applying 19.31 automatically includes every fix from 19.1 through 19.30.

It covers the Oracle Database RDBMS home. For Grid Infrastructure environments (RAC, Restart), a separate GI RU must be applied to the Grid home. OJVM is also a separate patch applied on top of the RU. Plan your maintenance window to account for all three components if relevant to your stack.

🔒 RDBMS RU

19.31.0.0.260421 — Database Oracle Home. Core engine, optimizer, SQL, PL/SQL, security fixes.

⚡ OJVM RU

Separate patch. Apply after RU. Required if Java VM is installed and in use in your database.

🔌 GI RU

Grid Infrastructure home. Apply separately for RAC and Oracle Restart environments.

2April 2026 CPU Security Fixes Bundled in 19.31

The April 2026 CPU contains 481 new security patches across 28 Oracle product families. For Oracle Database Server specifically, there are 8 new security patches, of which 4 are remotely exploitable without authentication. These are the key CVEs relevant to Oracle Database 19c environments:

CVE	Component	CVSS	Remote / No Auth	Attack Vector
CVE-2026-33870	Clusterware / Micronaut	7.5	Yes	Network / HTTP
CVE-2026-35229	Java VM (OJVM)	7.5	Yes	Oracle Net
CVE-2026-31790	RDBMS / OpenSSL	7.2	Yes	Confidentiality, Integrity, Availability
CVE-2026-26007	RDBMS / Python component	6.5	Yes	Network
CVE-2026-21999	XML Database (XDB)	5.3	No	HTTPS / XDB
CVE-2026-34312	RDBMS Row Access Method	2.4	No	Local / Privileges required

🚫 DBA Action Required CVE-2026-33870 (Clusterware/Micronaut) and CVE-2026-35229 (OJVM) are both CVSS 7.5 and remotely exploitable without authentication. If you run RAC or have OJVM installed, treat these as priority. Do not skip the OJVM RU.

3Key Fix Areas in RU 19.31

Beyond the CPU security layer, Oracle RUs include cumulative bug fixes across all major database components. Based on the patch cycle and known areas, RU 19.31 covers fixes in:

Optimizer & SQL

Plan stability, adaptive plan regressions, cardinality estimates, hints handling.

Data Pump (expdp/impdp)

Proactive recommended patches included. Review KB107134 for your environment.

RAC & Clusterware

Micronaut component CVE fixes. Instance eviction, interconnect, and GRD improvements.

Data Guard

Redo apply stability, broker fixes, switchover/failover edge cases.

PL/SQL & Java VM

OJVM security fix (separate patch). PL/SQL compiler edge case corrections.

OpenSSL / Crypto

CVE-2026-31790 — OpenSSL fix for confidentiality and integrity exposure in RDBMS home.

XML Database (XDB)

CVE-2026-21999 fix. Relevant if HTTPS / XDB is active in your environment.

FIPS 140-3 Readiness

19.31 is the last RU before 19.32 removes 3DES in FIPS-compliant mode. Review now.

⚠ FIPS 140-3 Warning Oracle is transitioning from FIPS 140-2 to FIPS 140-3. Support for 3DES in FIPS-compliant databases is scheduled for removal in RU 19.32. If your environment uses 3DES with FIPS mode, plan your migration to AES before the next quarterly cycle.

4Release Availability Timeline

April 15, 2026 — Original expected release date. Patch not posted. No official reason given.

April 28, 2026 — Revised Linux ETA in KB106822. Further slip reported in community.

May 1, 2026 — Further revised ETA (community-reported). Monitor KB106822 for confirmation.

April 30 / May 1, 2026 — OJVM RU 19.31 (2 days after RU Linux release, projected).

May 12, 2026 — Windows, AIX, Solaris, HP-UX, and other platform ports.

5Pre-Patch Preparation Checklist

Use this time before the patch is available to complete all pre-work so your maintenance window is clean.

• Validate OPatch version

  OPatch must be 12.2.0.1.41 or higher for 19.31. Download the latest from MOS before patching begins.

• Capture current inventory

  Run opatch lsinventory and opatch lspatches for ORACLE_HOME and GRID_HOME. Store as baseline.

• Check OJVM presence

  Query DBA_REGISTRY for JAVAVM. If present — even if unused — apply OJVM RU. CVE-2026-35229 applies.

• Run conflict check

  Use opatch prereq CheckConflictAgainstOHWithDetail against the staged patch directory before applying.

• Perform full backup

  RMAN backup of database and archivelogs. Backup Oracle Home and Grid Home. Create guaranteed restore point if applicable.

• Validate Data Guard status

  Confirm standby is in sync. Check lag, apply lag, and DG broker status before maintenance window.

• Test on lower environment first

  Apply and validate on DEV / SIT / UAT before production. Run full regression on critical workloads.

6Verification SQL — Run Before and After Patching

Check Current Version and Components

SQL – Pre-patch inventory

-- Database version
SELECT banner_full FROM v$version;

-- Installed components and status
SELECT comp_id, comp_name, version, status
FROM   dba_registry
ORDER BY comp_id;

-- Check OJVM specifically
SELECT comp_id, comp_name, version, status
FROM   dba_registry
WHERE  comp_id = 'JAVAVM';

-- Patch history
SELECT patch_id, patch_type, action, status, action_time, description
FROM   dba_registry_sqlpatch
ORDER BY action_time DESC;

OPatch Commands — Oracle Home

Shell – OPatch inventory and conflict check

# Verify OPatch version (must be 12.2.0.1.41+)
$ORACLE_HOME/OPatch/opatch version

# List currently applied patches
$ORACLE_HOME/OPatch/opatch lspatches

# Conflict check before applying (run from patch directory)
$ORACLE_HOME/OPatch/opatch prereq CheckConflictAgainstOHWithDetail \
  -phBaseDir /path/to/19.31/patch

Apply RU 19.31 (Out-of-Place / In-Place)

Shell – Apply RU and run datapatch

# Shutdown database before applying
sqlplus / as sysdba <<EOF
  shutdown immediate;
EOF

# Apply the RU patch
cd /path/to/patch/19.31
$ORACLE_HOME/OPatch/opatch apply

# Start database and run datapatch
sqlplus / as sysdba <<EOF
  startup;
EOF

$ORACLE_HOME/OPatch/datapatch -verbose

Post-Patch Validation

SQL – Post-patch checks

-- Confirm RU applied successfully
SELECT patch_id, patch_type, action, status, action_time
FROM   dba_registry_sqlpatch
ORDER BY action_time DESC
FETCH FIRST 5 ROWS ONLY;

-- Check for invalid objects
SELECT owner, object_type, COUNT(*)
FROM   dba_objects
WHERE  status = 'INVALID'
GROUP BY owner, object_type
ORDER BY owner, object_type;

-- Recompile invalids if needed
@?/rdbms/admin/utlrp.sql

-- Confirm registry status
SELECT comp_id, comp_name, version, status
FROM   dba_registry
ORDER BY comp_id;

✅ For EBS R12.2 Environments After database patching, validate login page, Concurrent Managers, Workflow Mailer, and OAF pages. Run ETCC (checkDBpatch.sh) to confirm codelevel compliance. Validate ADOP readiness before any subsequent application patching cycles.

7Where to Get the Patch and Reference Notes

• KB106822 — Primary Note for Database Quarterly Release Updates (888.1) — availability dates and patch numbers
• CPU58 — Oracle Critical Patch Update April 2026 for Oracle Database Products
• CPU56 — Executive Summary and Analysis (April 2026 CPU)
• KB107134 — Data Pump Recommended Proactive Patches for 19.10 and Above
• 2.4 MOS Note 2200506.1 — Patch Set Update and Critical Patch Update February 2026 Availability Document
• Oracle Critical Patch Update Advisory – April 2026
• Mike Dietrich's Upgrade Blog — community tracking for RU delays and known issues

---

8My DBA View

RU 19.31 is not a patch you can skip. With four remotely exploitable CVEs in the database home — including a CVSS 7.5 in Clusterware/Micronaut and another 7.5 in OJVM — this is a security-first patching cycle. Internal network exposure is not a valid reason to delay.

Use the delay period productively. Every DBA who waits for the patch file before starting preparation will end up rushing the maintenance window. Pre-work now — OPatch upgrade, inventory capture, conflict check staging, backup planning, DG validation, and lower environment scheduling — means a clean, fast production window when the patch finally posts.

For EBS R12.2 on 19c, coordinate with your Apps DBA team early. CPU patching in EBS environments requires aligning database patching with Fusion Middleware patches, ETCC compliance, and ADOP readiness. Do not treat the database layer in isolation.

Prepare early. Test thoroughly. Patch safely. Validate completely.

Punit | punitoracledba.blogspot.com
Database Architect · Core DBA · Apps DBA · OCI · Exadata · AWS RDS Custom

Sources: Oracle Critical Patch Update Advisory April 2026 (oracle.com/security-alerts/cpuapr2026.html), KB106822 Primary Note for Database Quarterly Release Updates (MOS Note 888.1), Mike Dietrich – mikedietrichde.com, Oracle EBS Tech Blog (blogs.oracle.com/ebstech), SecurityWeek April 2026 CPU coverage, Tenable Connect April 2026 CPU analysis.