Description
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Published: 2026-01-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the Optimizer component of Oracle MySQL Server and is a CWE‑400 Excessive Resource Consumption flaw. It allows an attacker with low privileges and network access via any supported protocol to provoke uncontrolled resource consumption that causes the server to hang or crash. There is no direct impact on confidentiality or integrity.

Affected Systems

Oracle MySQL Server versions 9.0.0 through 9.5.0 are affected; any instance of these versions exposed to network traffic is at risk.

Risk and Exploitability

The CVSS 3.1 base score of 6.5 highlights a high availability impact, while the EPSS score of 0.00053 indicates a very low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it remotely with only low privileges and multiple protocols, so the risk is moderate for publicly exposed databases.

Generated by OpenCVE AI on April 18, 2026 at 15:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest MySQL Server release that contains the Oracle CPU Jan 2026 fix or apply the vendor‑supplied patch.
  • Restrict inbound traffic to the MySQL port (3306) to trusted hosts or through a VPN and use firewall rules or ACLs to limit exposure.
  • Continuously monitor MySQL logs for repeated crashes or hang patterns, and review query activity for signs of resource exhaustion.

Generated by OpenCVE AI on April 18, 2026 at 15:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Title mysql: Optimizer unspecified vulnerability (CPU Jan 2026)
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 21 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
First Time appeared Oracle
Oracle mysql Server
CPEs cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle mysql Server
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Oracle Mysql Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-01-21T15:17:33.458Z

Reserved: 2026-01-05T18:07:34.712Z

Link: CVE-2026-21950

cve-icon Vulnrichment

Updated: 2026-01-21T15:17:26.891Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T22:15:57.993

Modified: 2026-01-29T15:28:59.573

Link: CVE-2026-21950

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-20T00:00:00Z

Links: CVE-2026-21950 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:45:04Z

Weaknesses