Oracle Solaris Third Party Bulletin - July 2025
Description
The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities addressed in third party software that is included in Oracle Solaris distributions. Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Updates are released. These bulletins will also be updated for the following two months after their release (i.e. the two months between the normal quarterly Critical Patch Update publication dates). In addition, Third Party Bulletins may also be updated for vulnerability issues deemed too critical to wait for the next monthly update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Third Party Bulletin security patches as soon as possible.
Patch Availability
Please see My Oracle Support Note 1448883.1
Third Party Bulletin Schedule
Third Party Bulletins are released on the third Tuesday of January, April, July, and October. The next four dates are:
- 21 October 2025
- 20 January 2026
- 21 April 2026
- 21 July 2026
References
- Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
- Risk Matrix definitions [ Risk Matrix Definitions ]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
Modification History
| Date | Note |
|---|---|
| 2025-September-23 | Rev 3. Added CVEs fixed in Solaris 11.4 SRU 85 |
| 2025-August-19 | Rev 2. Added CVEs fixed in Solaris 11.4 SRU 84 |
| 2025-July-15 | Rev 1. Initial Release with all CVEs fixed in Solaris 11.4 SRU 83 |
Oracle Solaris Executive Summary
This Oracle Solaris Bulletin contains 82 new security patches for the Oracle Solaris Operating System. 39 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Oracle Solaris Third Party Bulletin Risk Matrix
Revision 3: Published on 2025-09-23
| CVE ID | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2025-6424 | Oracle Solaris | Thunderbird | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 11.4 | See Note 1 |
| CVE-2025-4674 | Oracle Solaris | Go Programming Language | None | No | 8.6 | Local | Low | None | Required | Changed | High | High | High | 11.4 | |
| CVE-2025-58060 | Oracle Solaris | Common Unix Printing System (CUPS) | None | No | 8 | Local | Low | None | None | Un- changed |
Low | High | High | 11.4 | |
| CVE-2025-21086 | Oracle Solaris | Driver | None | No | 7.5 | Local | High | Low | None | Changed | None | High | High | 11.4 | |
| CVE-2025-49630 | Oracle Solaris | Apache HTTP server | HTTP | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | See Note 2 |
| CVE-2025-47907 | Oracle Solaris | Go Programming Language | HTTP | Yes | 7 | Network | High | None | None | Un- changed |
High | Low | Low | 11.4 | See Note 3 |
| CVE-2025-24294 | Oracle Solaris | Ruby | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | 11.4 | |
| CVE-2025-50078 | Oracle Solaris | MySQL | Multiple | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 11.4 | See Note 4 |
| CVE-2025-8027 | Oracle Solaris | Firefox | HTTP | Yes | 6.5 | Network | Low | None | Required | Un- changed |
High | None | None | 11.4 | See Note 5 |
| CVE-2025-54090 | Oracle Solaris | Apache HTTP server | HTTP | No | 6.3 | Network | Low | Low | None | Un- changed |
Low | Low | Low | 11.4 | |
| CVE-2025-6491 | Oracle Solaris | PHP | HTTP | Yes | 5.9 | Network | High | None | None | Un- changed |
None | None | High | 11.4 | See Note 6 |
| CVE-2024-36348 | Oracle Solaris | Kernel | None | No | 5.6 | Local | High | Low | None | Changed | High | None | None | 11.4 | See Note 7 |
Revision 2: Published on 2025-08-19
| CVE ID | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2025-49794 | Oracle Solaris | libxml2 | Multiple | Yes | 9.1 | Network | Low | None | None | Un- changed |
None | High | High | 11.4 | See Note 8 |
| CVE-2025-50059 | Oracle Solaris | JDK 8 | None | Yes | 8.6 | Network | Low | None | None | Changed | High | None | None | 11.4 | |
| CVE-2025-27613 | Oracle Solaris | Git | Multiple | Yes | 8.3 | Network | Low | None | Required | Un- changed |
High | High | Low | 11.4 | See Note 9 |
| CVE-2025-24032 | Oracle Solaris | PAM-PKCS#11 | None | No | 8 | Local | Low | None | None | Un- changed |
High | High | Low | 11.4 | |
| CVE-2024-53920 | Oracle Solaris | GNU Emacs | None | No | 7.8 | Local | Low | None | Required | Un- changed |
High | High | High | 11.4 | |
| CVE-2024-55549 | Oracle Solaris | libxslt | None | No | 7.8 | Local | High | None | None | Changed | None | High | High | 11.4 | |
| CVE-2025-32462 | Oracle Solaris | Sudo | None | No | 7.8 | Local | Low | Low | None | Un- changed |
High | High | High | 11.4 | See Note 10 |
| CVE-2022-49737 | Oracle Solaris | X.Org | Multiple | No | 7.7 | Network | High | Low | None | Changed | Low | Low | High | 11.4 | |
| CVE-2025-5283 | Oracle Solaris | Libvpx | Multiple | Yes | 7.7 | Network | High | None | None | Un- changed |
Low | High | High | 11.4 | |
| CVE-2025-6965 | Oracle Solaris | SQLite3 | Multiple | No | 7.7 | Network | High | Low | None | Changed | Low | High | Low | 11.4 | |
| CVE-2025-22874 | Oracle Solaris | Go Programming Language | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | High | None | 11.4 | See Note 11 |
| CVE-2025-32049 | Oracle Solaris | libsoup | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | |
| CVE-2025-47947 | Oracle Solaris | Apache HTTP server | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | See Note 12 |
| CVE-2025-6424 | Oracle Solaris | Firefox | Multiple | Yes | 7.5 | Network | High | None | Required | Un- changed |
High | High | High | 11.4 | See Note 13 |
| CVE-2025-32914 | Oracle Solaris | libsoup | Multiple | Yes | 7.4 | Network | High | None | None | Un- changed |
High | None | High | 11.4 | |
| CVE-2025-49175 | Oracle Solaris | X.Org | None | No | 7.3 | Local | Low | Low | None | Un- changed |
High | Low | High | 11.4 | See Note 14 |
| CVE-2025-32050 | Oracle Solaris | libsoup | Multiple | Yes | 7 | Network | High | None | None | Un- changed |
Low | Low | High | 11.4 | See Note 15 |
| CVE-2025-32462 | Oracle Solaris | Sudo | None | No | 7 | Local | High | Low | None | Un- changed |
High | High | High | 11.4 | See Note 16 |
| CVE-2025-0620 | Oracle Solaris | Samba | Multiple | No | 6.6 | Network | High | High | None | Un- changed |
High | High | High | 11.4 | |
| CVE-2020-27748 | Oracle Solaris | xdg-utils | Multiple | Yes | 6.5 | Network | Low | None | Required | Un- changed |
High | None | None | 11.4 | |
| CVE-2023-28746 | Oracle Solaris | Kernel | None | No | 6.5 | Local | Low | Low | None | Changed | High | None | None | 11.4 | |
| CVE-2024-6602 | Oracle Solaris | Netscape Security Services | Multiple | Yes | 6.5 | Network | Low | None | Required | Un- changed |
None | None | High | 11.4 | |
| CVE-2025-4969 | Oracle Solaris | libsoup | Multiple | Yes | 6.5 | Network | Low | None | None | Un- changed |
Low | None | Low | 11.4 | |
| CVE-2025-31176 | Oracle Solaris | Gnuplot | None | No | 6.2 | Local | Low | None | None | Un- changed |
None | None | High | 11.4 | See Note 17 |
| CVE-2025-32414 | Oracle Solaris | libxml2 | None | No | 5.6 | Local | High | None | None | Changed | Low | Low | Low | 11.4 | |
| CVE-2025-29088 | Oracle Solaris | SQLite3 | None | No | 5.5 | Local | Low | Low | None | Un- changed |
None | None | High | 11.4 | See Note 18 |
| CVE-2025-48432 | Oracle Solaris | Django | Multiple | Yes | 5.4 | Network | High | None | None | Changed | Low | Low | None | 11.4 | |
| CVE-2024-12243 | Oracle Solaris | GnuTLS | Multiple | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | None | Low | 11.4 | |
| CVE-2024-47081 | Oracle Solaris | Requests | Multiple | Yes | 5.3 | Network | High | None | Required | Un- changed |
High | None | None | 11.4 | |
| CVE-2024-53427 | Oracle Solaris | Command-line JSON Processor | None | No | 5.3 | Local | Low | None | Required | Un- changed |
Low | Low | Low | 11.4 | |
| CVE-2025-48976 | Oracle Solaris | Apache Tomcat | Multiple | Yes | 5.3 | Network | Low | None | None | Un- changed |
None | None | Low | 11.4 | See Note 19 |
| CVE-2024-34397 | Oracle Solaris | GLib | Multiple | No | 5.2 | Physical | Low | None | None | Un- changed |
None | High | Low | 11.4 | See Note 20 |
| CVE-2025-5278 | Oracle Solaris | GNU Coreutils | None | No | 4.4 | Local | Low | None | Required | Un- changed |
Low | None | Low | 11.4 | |
| CVE-2024-7531 | Oracle Solaris | Netscape Security Services | Multiple | Yes | 4.2 | Network | High | None | Required | Un- changed |
Low | None | Low | 11.4 | |
| CVE-2025-32364 | Oracle Solaris | Poppler | None | No | 4 | Local | Low | None | None | Un- changed |
None | None | Low | 11.4 | See Note 21 |
| CVE-2024-58249 | Oracle Solaris | wxWidgets | Multiple | Yes | 3.7 | Network | High | None | None | Un- changed |
None | None | Low | 11.4 | |
| CVE-2025-4945 | Oracle Solaris | libsoup | Multiple | Yes | 3.7 | Network | High | None | None | Un- changed |
None | Low | None | 11.4 | |
| CVE-2025-6052 | Oracle Solaris | GLib | Multiple | Yes | 3.7 | Network | High | None | None | Un- changed |
None | None | Low | 11.4 | |
| CVE-2025-3512 | Oracle Solaris | Qt Toolkit | None | No | 3.6 | Local | Low | None | Required | Changed | None | None | Low | 11.4 | |
| CVE-2024-56431 | Oracle Solaris | GStreamer | None | No | 3.3 | Local | Low | Low | None | Un- changed |
None | None | Low | 11.4 | |
| CVE-2025-24031 | Oracle Solaris | PAM-PKCS#11 | None | No | 3.3 | Local | Low | None | Required | Un- changed |
None | None | Low | 11.4 | |
| CVE-2025-24511 | Oracle Solaris | Intel Pci Express Nic Driver | None | No | 3.3 | Local | Low | Low | None | Un- changed |
Low | None | None | 11.4 | |
| CVE-2025-2588 | Oracle Solaris | Augeas | None | No | 3.3 | Local | Low | Low | None | Un- changed |
None | None | Low | 11.4 | |
| CVE-2025-6199 | Oracle Solaris | libsoup | None | No | 3.3 | Local | Low | None | Required | Un- changed |
Low | None | None | 11.4 | |
| CVE-2025-32415 | Oracle Solaris | libxml2 | None | No | 2.9 | Local | High | None | None | Un- changed |
None | None | Low | 11.4 | |
| CVE-2025-43965 | Oracle Solaris | ImageMagick | None | No | 2.9 | Local | High | None | None | Un- changed |
None | None | Low | 11.4 | See Note 22 |
| CVE-2025-48708 | Oracle Solaris | Ghostscript | None | No | 2.9 | Local | High | None | None | Un- changed |
Low | None | None | 11.4 | |
| CVE-2025-30258 | Oracle Solaris | GnuPG | None | No | 2.7 | Local | High | None | Required | Changed | None | None | Low | 11.4 | |
| CVE-2023-47466 | Oracle Solaris | TagLib | None | No | 2.5 | Local | High | None | Required | Un- changed |
None | None | Low | 11.4 | |
| CVE-2025-6170 | Oracle Solaris | libxml2 | None | No | 2.5 | Local | High | None | Required | Un- changed |
None | None | Low | 11.4 | |
Revision 1: Published on 2025-07-15
| CVE ID | Product | Third Party component |
Protocol | Remote Exploit without Auth.? |
CVSS VERSION 3.1 RISK (see Risk Matrix Definitions) | Supported Versions Affected |
Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score |
Attack Vector |
Attack Complexity |
Privs Req'd |
User Interact |
Scope | Confid- entiality |
Inte- grity |
Avail- ability |
|||||||
| CVE-2025-31651 | Oracle Solaris | Apache Tomcat | Multiple | Yes | 9.8 | Network | Low | None | None | Un- changed |
High | High | High | 11.4 | See Note 23 |
| CVE-2025-2817 | Oracle Solaris | Firefox | None | No | 8.8 | Network | Low | Low | None | Un- changed |
High | High | High | 11.4 | See Note 24 |
| CVE-2025-5269 | Oracle Solaris | Thunderbird | Multiple | No | 8.8 | Network | Low | Low | None | Un- changed |
High | High | High | 11.4 | See Note 25 |
| CVE-2024-56406 | Oracle Solaris | Perl | None | Yes | 8.6 | Network | Low | None | None | Un- changed |
Low | Low | High | 11.4 | |
| CVE-2025-23395 | Oracle Solaris | GNU Screen | None | No | 7.8 | Local | Low | Low | None | Un- changed |
High | High | High | 11.4 | See Note 26 |
| CVE-2024-45802 | Oracle Solaris | Squid | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | |
| CVE-2024-48615 | Oracle Solaris | Libarchive | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | See Note 27 |
| CVE-2024-8176 | Oracle Solaris | libexpat | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | None | High | 11.4 | |
| CVE-2025-29915 | Oracle Solaris | Suricata | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | High | None | 11.4 | See Note 28 |
| CVE-2025-3875 | Oracle Solaris | Thunderbird | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
High | None | None | 11.4 | See Note 29 |
| CVE-2025-4138 | Oracle Solaris | Python | Multiple | Yes | 7.5 | Network | Low | None | None | Un- changed |
None | High | None | 11.4 | See Note 30 |
| CVE-2025-46701 | Oracle Solaris | Apache Tomcat | Multiple | Yes | 7.3 | Network | Low | None | None | Un- changed |
Low | Low | Low | 11.4 | |
| CVE-2025-31498 | Oracle Solaris | C-Ares Asychronous Dns Library | Multiple | Yes | 7 | Network | High | None | None | Un- changed |
Low | Low | High | 11.4 | |
| CVE-2025-21577 | Oracle Solaris | MySQL | Multiple | No | 6.5 | Network | Low | Low | None | Un- changed |
None | None | High | 11.4 | See Note 31 |
| CVE-2025-5269 | Oracle Solaris | Firefox | Multiple | Yes | 6.5 | Network | Low | None | None | Un- changed |
Low | Low | None | 11.4 | See Note 32 |
| CVE-2024-37894 | Oracle Solaris | Squid | Multiple | No | 6.3 | Network | High | Low | None | Changed | None | None | High | 11.4 | |
| CVE-2025-5601 | Oracle Solaris | Wireshark | Multiple | Yes | 6.3 | Network | Low | None | Required | Un- changed |
Low | Low | Low | 11.4 | |
| CVE-2025-40909 | Oracle Solaris | Perl | None | No | 5.9 | Local | Low | None | None | Un- changed |
Low | Low | Low | 11.4 | |
| CVE-2025-4516 | Oracle Solaris | Python | None | No | 5.1 | Local | High | None | None | Un- changed |
None | None | High | 11.4 | |
| CVE-2025-1795 | Oracle Solaris | Python | Multiple | No | 3.1 | Network | High | Low | None | Un- changed |
Low | None | None | 11.4 | |
Notes:
1. This patch also addresses CVE-2025-6425 CVE-2025-6426 CVE-2025-6429 CVE-2025-6430 CVE-2025-8027 CVE-2025-8028 CVE-2025-8029 CVE-2025-8030 CVE-2025-8031 CVE-2025-8032 CVE-2025-8033 CVE-2025-8034 CVE-2025-8035.2. This patch also addresses CVE-2024-42516 CVE-2024-43204 CVE-2024-43394 CVE-2024-47252 CVE-2025-23048 CVE-2025-49630 CVE-2025-49812 CVE-2025-53020.
3. This patch also addresses CVE-2025-47907.
4. This patch also addresses CVE-2025-50078 CVE-2025-50079 CVE-2025-50080 CVE-2025-50081 CVE-2025-50082 CVE-2025-50083 CVE-2025-50084 CVE-2025-50085 CVE-2025-50086 CVE-2025-50087 CVE-2025-50091 CVE-2025-50092 CVE-2025-50093 CVE-2025-50094 CVE-2025-50096 CVE-2025-50097 CVE-2025-50098 CVE-2025-50099 CVE-2025-50100 CVE-2025-50101 CVE-2025-50102 CVE-2025-50104 CVE-2025-53023 CVE-2025-5399.
5. This patch also addresses CVE-2025-8028 CVE-2025-8029 CVE-2025-8030 CVE-2025-8031 CVE-2025-8032 CVE-2025-8033 CVE-2025-8034 CVE-2025-8035.
6. This patch also addresses CVE-2025-1220 CVE-2025-1735.
7. This patch also addresses CVE-2024-36349 CVE-2024-36350 CVE-2024-36357.
8. This patch also addresses CVE-2025-49795 CVE-2025-49796 CVE-2025-6021.
9. This patch also addresses CVE-2025-27614 CVE-2025-46334 CVE-2025-46835 CVE-2025-48384 CVE-2025-48385 CVE-2025-48386.
10. This patch also addresses CVE-2025-32463.
11. This patch also addresses CVE-2025-22874 CVE-2025-4673.
12. This patch also addresses CVE-2025-48866.
13. This patch also addresses CVE-2025-6425 CVE-2025-6426 CVE-2025-6429 CVE-2025-6430.
14. This patch also addresses CVE-2025-49176 CVE-2025-49177 CVE-2025-49178 CVE-2025-49179 CVE-2025-49180.
15. This patch also addresses CVE-2025-2784 CVE-2025-32051 CVE-2025-32052 CVE-2025-32053 CVE-2025-32906 CVE-2025-32909 CVE-2025-32910 CVE-2025-32911 CVE-2025-32912 CVE-2025-32913 CVE-2025-46420 CVE-2025-46421.
16. This patch also addresses CVE-2025-32463.
17. This patch also addresses CVE-2025-31177 CVE-2025-31178 CVE-2025-31179 CVE-2025-31180 CVE-2025-31181 CVE-2025-3359.
18. This patch also addresses CVE-2025-29087 CVE-2025-3277.
19. This patch also addresses CVE-2025-48988 CVE-2025-49124 CVE-2025-49125.
20. This patch also addresses CVE-2025-3360.
21. This patch also addresses CVE-2025-32365 CVE-2025-43903.
22. This patch also addresses CVE-2025-46393.
23. This patch also addresses CVE-2025-31650.
24. This patch also addresses CVE-2025-4082 CVE-2025-4083 CVE-2025-4084 CVE-2025-4087 CVE-2025-4091 CVE-2025-4093.
25. This patch also addresses CVE-2025-4082 CVE-2025-4083 CVE-2025-4084 CVE-2025-4087 CVE-2025-4091 CVE-2025-4093.
26. This patch also addresses CVE-2025-46802 CVE-2025-46803 CVE-2025-46804 CVE-2025-46805.
27. This patch also addresses CVE-2025-1632 CVE-2025-25724.
28. This patch also addresses CVE-2025-29916 CVE-2025-29917 CVE-2025-29918.
29. This patch also addresses CVE-2025-3877 CVE-2025-3909 CVE-2025-3932 CVE-2025-4918 CVE-2025-4919 CVE-2025-5262 CVE-2025-5263 CVE-2025-5264 CVE-2025-5265 CVE-2025-5266 CVE-2025-5267 CVE-2025-5268 CVE-2025-5269.
30. This patch also addresses CVE-2025-4138 CVE-2025-4330 CVE-2025-4517.
31. This patch also addresses CVE-2025-21574 CVE-2025-21575 CVE-2025-21577 CVE-2025-21579 CVE-2025-21580 CVE-2025-21581 CVE-2025-21583 CVE-2025-21584 CVE-2025-21585 CVE-2025-21588 CVE-2025-30681 CVE-2025-30682 CVE-2025-30683 CVE-2025-30684 CVE-2025-30685 CVE-2025-30687 CVE-2025-30688 CVE-2025-30689 CVE-2025-30693 CVE-2025-30695 CVE-2025-30696 CVE-2025-30699 CVE-2025-30703 CVE-2025-30704 CVE-2025-30705 CVE-2025-30715 CVE-2025-30721 CVE-2025-30722.
32. This patch also addresses CVE-2025-5263 CVE-2025-5264 CVE-2025-5265 CVE-2025-5266 CVE-2025-5267 CVE-2025-5268 CVE-2025-5269.