Description
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Published: 2026-01-20
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (Complete Crash)
Action: Immediate Patch
AI Analysis

Impact

A bug in the Data Definition Language handling of Oracle MySQL Server can be triggered by a high‑privileged attacker with network access, allowing the server to crash or become unresponsive. The vulnerability is a pure availability flaw with no direct impact on confidentiality or integrity, and it can be invoked by any protocol that can send DDL commands. The advertised severity is a CVSS 3.1 score of 4.9, reflecting a moderate exploitation risk for Availability. The attacker would gain the ability to cause an application hang or a repeatable crash, resulting in service disruption for all clients.

Affected Systems

Oracle Corporation’s MySQL Server product is affected. The vulnerable ranges are 8.0.0‑8.0.44, 8.4.0‑8.4.7 and 9.0.0‑9.5.0. Administrators should verify the exact build of Oracle MySQL Server they run and compare it to these ranges.

Risk and Exploitability

The exploit requires remote network connectivity and high‑privilege access to the MySQL Server, which limits the attack surface. The EPSS score of less than 1% indicates a very low probability of automatic exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Attackers would target the service via the usual SQL interfaces, using privileged accounts to send malformed DDL commands. Given the moderate CVSS score and low EPSS, the overall risk is moderate but the likelihood of exploitation remains low unless attackers or automated tools specifically target this flaw.

Generated by OpenCVE AI on April 18, 2026 at 15:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the January 2026 MySQL Server security update published by Oracle, or upgrade to a later major release that is not in the affected version range.
  • If a patch is not yet available, restrict MySQL Server to a trusted internal network, limit exposure of DDL‑capable endpoints, and enforce least‑privilege for users with schema‑altering rights.
  • Continuously monitor MySQL Server logs for repeated crashes or hang attempts and investigate any anomalies to detect exploitation attempts early.

Generated by OpenCVE AI on April 18, 2026 at 15:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-7994-1 MySQL vulnerabilities
History

Sat, 18 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-787

Wed, 11 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Title mysql: DDL unspecified vulnerability (CPU Jan 2026)
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 29 Jan 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Wed, 21 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
First Time appeared Oracle
Oracle mysql Server
CPEs cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle mysql Server
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Oracle Mysql Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-01-21T20:58:32.805Z

Reserved: 2026-01-05T18:07:34.710Z

Link: CVE-2026-21937

cve-icon Vulnrichment

Updated: 2026-01-21T20:58:28.973Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T22:15:56.410

Modified: 2026-01-29T15:32:36.583

Link: CVE-2026-21937

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-20T00:00:00Z

Links: CVE-2026-21937 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:45:04Z

Weaknesses