Oracle released a critical patch for Java 7/8 which patches CVE-2016-0636 – a remote code execution. This is a patch which has been released between two normal Oracle Java “Patch-Days”. This should be enough proof that the vulnerability is indeed critical. To quote Oracle:
Due to the severity of this vulnerability and the public disclosure of technical details, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible. – Oracle Security Alert
The latest patches for Java 7 and 8 include the fix for this security issue. Affected were Oracle Java SE 7 Update 97, and Java SE 8 Update 73 and 74 for Windows, Solaris, Linux, and Mac OS X.
CVE-2016-0636 CVSS v2