Description
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 9.0.0-9.5.0. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).
Published: 2026-01-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

A flaw in Oracle MySQL Server’s parser component allows an attacker to send malformed input that causes the server to hang or crash repeatedly, resulting in a denial of service. The vulnerability does not provide code execution or data disclosure; it only disrupts availability by exploiting improper input validation in how the server processes network traffic. The likely attack vector is remote via crafted packets over standard MySQL connections, as inferred from the description of network access through multiple protocols.

Affected Systems

Oracle MySQL Server versions 9.0.0 through 9.5.0 are affected. Attackers require only low privileges but need network access to any of the protocols exposed by the MySQL service, as documented by the vendor’s CPU Jan 2026 advisory.

Risk and Exploitability

The CVSS base score of 5.3 reflects moderate availability impact with high attack complexity and low privilege requirements. An EPSS score of less than 1% indicates that exploit attempts are currently uncommon, and the vulnerability is absent from the CISA KEV catalog. Based on the description, it is inferred that the flaw can be triggered remotely via crafted packets over standard MySQL connections, making it a feasible attack vector for disrupting service or augmenting other attacks. No public exploits have been reported, but the impact is immediate once the vulnerability is exploited.

Generated by OpenCVE AI on April 18, 2026 at 19:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑published security patch or upgrade to a non‑affected Oracle MySQL Server release as outlined in the CP‑Jan 2026 advisory.
  • Restrict network access to the MySQL service using firewall rules or VPN, limiting connections to trusted hosts only.
  • Disable or reduce exposure of unnecessary MySQL protocols and ensure the server is configured with the latest security settings to validate input properly.

Generated by OpenCVE AI on April 18, 2026 at 19:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Title mysql: Parser unspecified vulnerability (CPU Jan 2026)
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 29 Jan 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Wed, 21 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 9.0.0-9.5.0. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H).
First Time appeared Oracle
Oracle mysql Server
CPEs cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle mysql Server
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Oracle Mysql Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-01-21T20:54:43.658Z

Reserved: 2026-01-05T18:07:34.709Z

Link: CVE-2026-21929

cve-icon Vulnrichment

Updated: 2026-01-21T20:53:38.616Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T22:15:55.410

Modified: 2026-01-29T15:45:39.760

Link: CVE-2026-21929

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-20T00:00:00Z

Links: CVE-2026-21929 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:15:10Z

Weaknesses