Login Sign Up

CVE-2026-21968

6.5 MEDIUM
Denial of Service

📋 TL;DR

This vulnerability in MySQL Server's optimizer component allows authenticated attackers with network access to cause denial of service by crashing or hanging the database server. It affects MySQL versions 8.0.0-8.0.44, 8.4.0-8.4.7, and 9.0.0-9.5.0. Attackers need only low privileges to exploit this vulnerability.

💻 Affected Systems

Products:
  • Oracle MySQL Server
Versions: 8.0.0-8.0.44, 8.4.0-8.4.7, 9.0.0-9.5.0
Operating Systems: All platforms running affected MySQL versions
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all installations within specified version ranges regardless of configuration

📦 What is this software?

Mysql Server by Oracle

View all CVEs affecting Mysql Server →

Mysql Server by Oracle

View all CVEs affecting Mysql Server →

Mysql Server by Oracle

View all CVEs affecting Mysql Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database unavailability causing application downtime and business disruption

🟠

Likely Case

Intermittent database crashes requiring manual restart and causing service degradation

🟢

If Mitigated

Limited impact with proper network segmentation and privilege restrictions

🌐 Internet-Facing: HIGH - Network accessible with low complexity exploitation
🏢 Internal Only: MEDIUM - Requires authenticated access but low privilege

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Oracle describes as 'easily exploitable' but requires authenticated access

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 8.0.44, 8.4.7, and 9.5.0

Vendor Advisory: https://www.oracle.com/security-alerts/cpujan2026.html

Restart Required: Yes

Instructions:

1. Download latest MySQL version from Oracle website 2. Backup databases 3. Stop MySQL service 4. Install updated version 5. Restart MySQL service 6. Verify functionality

🔧 Temporary Workarounds

Network Access Restriction

linux

Limit MySQL network access to trusted applications only

iptables -A INPUT -p tcp --dport 3306 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP

Privilege Reduction

all

Minimize user privileges to essential operations only

REVOKE ALL PRIVILEGES ON *.* FROM 'user'@'%';
GRANT SELECT, INSERT, UPDATE, DELETE ON database.* TO 'user'@'%';

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate MySQL from untrusted networks
  • Apply principle of least privilege to all database user accounts

🔍 How to Verify

Check if Vulnerable:

Run 'SELECT VERSION();' in MySQL and compare against affected version ranges

Check Version:

mysql -u root -p -e 'SELECT VERSION();'

Verify Fix Applied:

Check version after update and test database functionality under load

📡 Detection & Monitoring

Log Indicators:

  • Unexpected MySQL crashes
  • Error logs showing optimizer failures
  • Abnormal termination messages

Network Indicators:

  • Multiple failed optimizer queries from single source
  • Abnormal query patterns

SIEM Query:

source="mysql.log" AND ("crash" OR "segfault" OR "optimizer error")

📊 Metadata

CVE ID: CVE-2026-21968
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score: 0.04% exploit probability (11.8th percentile)
Published: January 20, 2026
Last Updated: January 29, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON