CVE-2026-21941 - Vulnerability Details

- mysql: Optimizer unspecified vulnerability (CPU Jan 2026)

Description

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Published: 2026-01-20

Score: 4.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is located in MySQL Server’s Optimizer component and allows an attacker who already has high‑privilege access over the network to cause the server to hang or crash repeatedly, effectively denying service. The flaw is a classic resource exhaustion issue represented by CWE‑400.

Affected Systems

Oracle Corporation’s MySQL Server is affected. Versions 8.0.0 through 8.0.44, 8.4.0 through 8.4.7, and 9.0.0 through 9.5.0 contain the flaw.

Risk and Exploitability

The CVSS v3.1 score is 4.9, indicating moderate severity with a focus on availability. The EPSS score is below 1 %, suggesting the likelihood of exploitation is low, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a network‑loose high‑privileged attacker; once such conditions are met, the attacker can trigger a DoS through multiple supported protocols.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

MySQL Server

affected

Version	Status	Constraints
`8.0.0`	affected	≤ 8.0.44
`8.4.0`	affected	≤ 8.4.7
`9.0.0`	affected	≤ 9.5.0

Configuration 1 [-]

OR	cpe:2.3:a:oracle:mysql_server::::::::
	cpe:2.3:a:oracle:mysql_server::::::::
	cpe:2.3:a:oracle:mysql_server::::::::

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply Oracle’s official MySQL Server patch that addresses the optimizer flaw.
Upgrade to a non‑vulnerable release – for example 8.0.45, 8.4.8, or 9.5.1 or later.
Limit external access to the MySQL server by configuring firewalls or network segmentation so that only trusted hosts can contact it.

Generated by OpenCVE AI on April 18, 2026 at 04:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Ubuntu USN	USN-7994-1	MySQL vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00049.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2026-21941
https://www.cve.org/CVERecord?id=CVE-2026-21941
https://www.oracle.com/security-alerts/cpujan2026.html
https://www.oracle.com/security-alerts/cpujan2026.html#AppendixMSQL

History

Wed, 11 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title		mysql: Optimizer unspecified vulnerability (CPU Jan 2026)
References		https://nvd.nist.gov/vuln/detail/CVE-2026-21941 https://www.cve.org/CVERecord?id=CVE-2026-21941 https://www.oracle.com/security-alerts/cpujan2026.html#AppendixMSQL
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 21 Jan 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 21 Jan 2026 15:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400

Tue, 20 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
First Time appeared		Oracle Oracle mysql Server
CPEs		cpe:2.3:a:oracle:mysql_server::::::::
Vendors & Products		Oracle Oracle mysql Server
References		https://www.oracle.com/security-alerts/cpujan2026.html
Metrics		cvssV3_1 `{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Oracle Mysql Server

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-01-20T21:56:26.721Z

Updated: 2026-01-21T14:59:00.815Z

Reserved: 2026-01-05T18:07:34.711Z

Link: CVE-2026-21941

Vulnrichment

Updated: 2026-01-21T14:58:49.998Z

NVD

Status : Analyzed

Published: 2026-01-20T22:15:56.903

Modified: 2026-01-29T15:31:07.980

Link: CVE-2026-21941

Redhat

Severity : Moderate

Publid Date: 2026-01-20T00:00:00Z

Links: CVE-2026-21941 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-18T04:45:36Z

Weaknesses

CWE-400

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object