Description
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Published: 2026-01-20
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service through unauthorized crash or hang of MySQL Server
Action: Patch Now
AI Analysis

Impact

This vulnerability resides in the InnoDB storage engine component of Oracle’s MySQL Server. It permits an attacker who has high privileges and network access via standard MySQL protocols to exploit a flaw that triggers a crash or repeated hang in the server, thereby rendering the database unavailable. The CVSS 3.1 vector indicates no critical impact on confidentiality or integrity, but a high impact on availability.

Affected Systems

Oracle MySQL products are affected, specifically versions 8.0.0 through 8.0.44, 8.4.0 through 8.4.7, and 9.0.0 through 9.5.0. Users deploying these releases on either MySQL Cluster or MySQL Server configurations must verify whether their environment is within the aforementioned version ranges.

Risk and Exploitability

The base score of 4.9 signifies a moderate severity, and the EPSS score of less than 1% implies that the overall exploitation probability remains very low. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been exploited in the wild. However, the required conditions—high privileges and network connectivity—make it suitable for targeted attacks, so the risk for affected systems persists until a patch is applied. The CNA indicates an official CPU in January 2026 that addresses this issue.

Generated by OpenCVE AI on April 18, 2026 at 04:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle Critical Patch Update for January 2026 that includes the InnoDB fix for MySQL 8.0.x, 8.4.x, and 9.x versions
  • If a patch cannot be applied immediately, limit network exposure to the MySQL server by configuring firewall rules to allow connections only from trusted IP addresses
  • Review and monitor MySQL error logs for repeated crash patterns that could indicate an attempt to exploit the vulnerability
  • Check the Oracle Security Alerts portal regularly for additional mitigations or work‑arounds

Generated by OpenCVE AI on April 18, 2026 at 04:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-7994-1 MySQL vulnerabilities
History

Wed, 11 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Title mysql: InnoDB unspecified vulnerability (CPU Jan 2026)
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 29 Jan 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Wed, 21 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
First Time appeared Oracle
Oracle mysql Cluster
Oracle mysql Server
CPEs cpe:2.3:a:oracle:mysql_cluster:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle mysql Cluster
Oracle mysql Server
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Oracle Mysql Cluster Mysql Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-01-21T20:57:55.683Z

Reserved: 2026-01-05T18:07:34.710Z

Link: CVE-2026-21936

cve-icon Vulnrichment

Updated: 2026-01-21T20:57:52.788Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T22:15:56.277

Modified: 2026-01-29T15:44:06.733

Link: CVE-2026-21936

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-20T00:00:00Z

Links: CVE-2026-21936 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:45:36Z

Weaknesses