Description
An issue in the sqlo_natural_join_cond component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
Published: 2026-06-23
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An issue exists in the sqlo_natural_join_cond component of OpenLink Virtuoso OpenSource v7.2.11. The flaw allows an attacker to cause a denial of service by sending specially crafted SQL statements to the database. The result is a loss of availability for the database service, which can impact any applications that rely on it. This weakness is identified as uncontrolled resource consumption, corresponding to a denial of service scenario.

Affected Systems

OpenLink Virtuoso OpenSource 7.2.11, specifically the sqlo_natural_join_cond component. No other vendors or product variants are listed. Users deploying this version should verify whether this component is in use in their environment.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity denial of service vulnerability. EPSS score of 0.00149 (<1%) indicates a very low but non‑zero exploitation probability. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not been widely reported or exploited. The attack vector is inferred to be the ability to communicate with the database engine and submit malformed SQL, which would require access that is either unauthenticated or weakly authenticated. Because the impact is a service disruption, the risk to affected systems remains significant; an attacker who can reach the database interface can potentially interrupt the availability of critical services. The lack of an available patch or workaround in the official CNA data suggests that mitigation will rely on limiting exposure and monitoring for abnormal query activity.

Generated by OpenCVE AI on June 25, 2026 at 23:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict network access to the database engine to trusted hosts only or enforce strict firewall rules to limit exposure of the database service.
  • Monitor database logs for unusually malformed or large SQL queries that could trigger resource exhaustion, and investigate any suspicious activity.
  • Enforce strict input validation and use parameterized queries to mitigate potential SQL injection vulnerabilities.
  • Check the OpenLink Virtuoso project or channels that address this flaw and apply them as soon as they become available.

Generated by OpenCVE AI on June 25, 2026 at 23:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in OpenLink Virtuoso 7.2.11

Thu, 25 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in Virtuoso OpenSource
Weaknesses CWE-400
CWE-770

Thu, 25 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Openlink
Openlink virtuoso-opensource
Vendors & Products Openlink
Openlink virtuoso-opensource

Wed, 24 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in Virtuoso OpenSource
Weaknesses CWE-400
CWE-770

Wed, 24 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in Virtuoso OpenSource 7.2.11
Weaknesses CWE-400
CWE-770

Wed, 24 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in Virtuoso OpenSource 7.2.11
Weaknesses CWE-400
CWE-770

Wed, 24 Jun 2026 07:30:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in Virtuoso sqlo_natural_join_cond
Weaknesses CWE-400
CWE-770

Wed, 24 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in Virtuoso sqlo_natural_join_cond
Weaknesses CWE-400
CWE-770

Wed, 24 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in OpenLink Virtuoso OpenSource v7.2.11
Weaknesses CWE-770

Tue, 23 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in OpenLink Virtuoso OpenSource v7.2.11
Weaknesses CWE-770

Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description An issue in the sqlo_natural_join_cond component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
References

Subscriptions

Openlink Virtuoso-opensource
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-25T19:53:30.866Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-61021

cve-icon Vulnrichment

Updated: 2026-06-25T19:52:36.283Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T00:00:14Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')