A flaw in the sqlo_try_in_loop component of the openlink virtuoso-opensource database engine allows an attacker to send specially crafted SQL statements that cause the database server to hang and become unresponsive. The resulting denial of service would disrupt any applications relying on the database and could lead to loss of service availability during the attack. The weakness can be categorized as improper resource control that permits a single request to exhaust or lock critical server resources for an extended period. Based on the description, the likely attack vector is an external client that can connect to the database and issue arbitrary SQL commands, potentially over the network interface that exposes the Virtuoso engine.

This issue affects the openlink virtuoso-opensource product version 7.2.11. No other versions or distributions are listed as impacted in the provided data.

The CVE has no publicly available CVSS score and the EPSS score is not disclosed, which means the quantified risk level has not been formally determined. The vulnerability is not featured in the CISA KEV catalog, so there is no evidence of active exploitation at this time. Nonetheless, the ability to trigger a denial of service can have serious impact on high‑availability deployments, especially where the database is exposed to external traffic. The attack requires the ability to execute SQL against the vulnerable database instance, which could be achieved by an authenticated or unauthenticated client depending on the database configuration. The potential impact is limited to service availability rather than confidentiality or integrity, but repeated or prolonged attacks could result in significant business disruption.