Description
An issue in the st_compare component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
Published: 2026-06-23
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The st_compare component of OpenLink Virtuoso OpenSource contains a bug that allows attackers to trigger a denial of service by sending specially crafted SQL statements. The flaw permits the creation of queries that cause the database engine to consume excessive resources or crash, leading to service interruption. This weakness is a typical resource‑consumption vulnerability, classified under CWE-770 and CWE-89 for SQL injection.

Affected Systems

The issue affects OpenLink Virtuoso OpenSource version 7.2.11. No other versions are listed as affected. Administrators should verify that this exact version is deployed and assess whether it is still in use.

Risk and Exploitability

The KEV status indicates that it is not listed in the CISA KEV catalog, and no CVSS or EPSS score is publicly available, so the precise severity and exploit likelihood remain unknown. The description indicates that an attacker must be able to execute arbitrary SQL against the database, implying that the threat is most relevant to environments where the database is exposed to untrusted input or where authentication mechanisms are weak. If crafted SQL reaches the st_compare component, the resulting denial of service could affect all users of the database instance.

Generated by OpenCVE AI on June 24, 2026 at 00:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenLink Virtuoso to a release that includes the fix for the st_compare denial‑of‑service issue—at a minimum apply the latest maintenance or security patch available for the OpenSource edition.
  • If an upgrade cannot be performed immediately, restrict or disable the st_compare command in the database configuration or refactor application code to prevent untrusted input from reaching this component.
  • Enforce strict role‑based access controls on the database to limit who can submit raw SQL queries, thereby reducing the window for an attacker to craft the offending statements.

Generated by OpenCVE AI on June 24, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in Virtuoso st_compare
Weaknesses CWE-770
CWE-89

Tue, 23 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in Virtuoso st_compare Component
Weaknesses CWE-770
CWE-89

Tue, 23 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted SQL in Virtuoso st_compare Component
Weaknesses CWE-770
CWE-89

Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description An issue in the st_compare component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-23T16:19:19.292Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-61023

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T01:00:06Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')