CVE-2023-26785 – This CVE describes a remote code execution vuln... (How to Fix)

Q: What is the severity of CVE-2023-26785?

CVE-2023-26785 has a CVSS score of 9.8 (CRITICAL). This CVE describes a remote code execution vulnerability in MariaDB v10.5 where an attacker could execute arbitrary code by loading a malicious shared object file via UDF (User Defined Function) and using a 'create function' statement. The vulnerability affects MariaDB v10.5 installations, though the MariaDB Foundation disputes the severity since it requires existing database privileges. Attackers with database access could potentially escalate to full system compromise.

📋 TL;DR

This CVE describes a remote code execution vulnerability in MariaDB v10.5 where an attacker could execute arbitrary code by loading a malicious shared object file via UDF (User Defined Function) and using a 'create function' statement. The vulnerability affects MariaDB v10.5 installations, though the MariaDB Foundation disputes the severity since it requires existing database privileges. Attackers with database access could potentially escalate to full system compromise.

💻 Affected Systems

Products:

MariaDB

Versions: v10.5

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ✅ No

Notes: Requires CREATE FUNCTION privilege and ability to load shared objects. The MariaDB Foundation disputes this as a vulnerability since it doesn't cross privilege boundaries.

📦 What is this software?

Mariadb by Mariadb

View all CVEs affecting Mariadb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root-level access, allowing complete control over the database server and potentially lateral movement to other systems.

🟠

Likely Case

Database compromise leading to data theft, manipulation, or destruction by authenticated attackers with UDF creation privileges.

🟢

If Mitigated

Limited impact if proper privilege separation and access controls are implemented, restricting UDF creation to trusted administrators only.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires database authentication and CREATE FUNCTION privilege. Public PoC exists in GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: N/A

Restart Required: No

Instructions:

No official patch available as vendor disputes vulnerability. Consider upgrading to latest MariaDB version and implementing workarounds.

🔧 Temporary Workarounds

Restrict UDF Creation Privileges

all

Remove CREATE FUNCTION privilege from non-administrative users and restrict shared object loading.

REVOKE CREATE FUNCTION ON *.* FROM 'username'@'host';
SET GLOBAL secure_file_priv = '/secure/path';

Disable UDF Loading

linux

Configure MariaDB to prevent loading of external shared objects for UDFs.

Add '--skip-grant-tables' to MariaDB startup options (note: impacts authentication)

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit database access to trusted sources only.
Enable detailed auditing of CREATE FUNCTION statements and monitor for suspicious UDF creation attempts.

🔍 How to Verify

Check if Vulnerable:

Check MariaDB version: SELECT VERSION(); If version is 10.5.x, check user privileges: SELECT user, host, Create_priv FROM mysql.user WHERE Create_priv='Y';

Check Version:

SELECT VERSION();

Verify Fix Applied:

Verify CREATE FUNCTION privileges are restricted and secure_file_priv is properly configured.

📡 Detection & Monitoring

Log Indicators:

CREATE FUNCTION statements from non-admin users
UDF loading attempts
Execution of suspicious shared objects

Network Indicators:

Unexpected database connections attempting privilege escalation
Traffic patterns suggesting UDF exploitation

SIEM Query:

source="mariadb.log" AND "CREATE FUNCTION" AND NOT user="admin"

📊 Metadata

CVE ID: CVE-2023-26785

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: October 17, 2024

Last Updated: July 10, 2025

🔗 References

https://github.com/Ant1sec-ops/CVE-2023-26785 Exploit,Third Party Advisory
https://seclists.org/fulldisclosure/2012/Dec/39 Mailing List

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26785, you might also want to check these: