CVE-2026-21952 - Vulnerability Details

- mysql: Parser unspecified vulnerability (CPU Jan 2026)

Description

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Published: 2026-01-20

Score: 4.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Vulnerability in Oracle MySQL Server’s Parser component can be triggered by a high‑privileged attacker with network access, allowing the server to become unresponsive or crash repeatedly. The flaw falls under CWE‑400 and leads to a significant availability impact, potentially disrupting all database services that depend on the affected MySQL instance.

Affected Systems

Oracle MySQL Server versions from 9.0.0 through 9.5.0 are affected. The vulnerability is present only in the Server: Parser component and affects all editions of the product that fall within the specified version range.

Risk and Exploitability

With a CVSS 3.1 base score of 4.9 the vulnerability is moderately risky, and the EPSS indicates a less than 1 percent probability of exploitation. The advertised attack vector is over the network (AV:N) using any available protocol, requiring high privileges on the target system. The vulnerability is not listed in CISA’s KEV, implying no publicly disclosed exploits as of now. Nonetheless, an attacker that succeeds could cause a denial of service by repeatedly crashing the server, undermining business continuity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

MySQL Server

affected

Version	Status	Constraints
`9.0.0`	affected	≤ 9.5.0

Configuration 1 [-]

cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a patch or upgrade Oracle MySQL Server to a version later than 9.5.0 that includes the remedy for the Parser vulnerability.
Restrict inbound network traffic to the MySQL Server to only trusted hosts and limit the use of non-essential protocols that may trigger the parser.
Monitor MySQL Server logs and system metrics for unexpected hangs or crash events and be prepared to restart or remediate services as part of a service‑level availability plan.

Generated by OpenCVE AI on April 18, 2026 at 15:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00049.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2026-21952
https://www.cve.org/CVERecord?id=CVE-2026-21952
https://www.oracle.com/security-alerts/cpujan2026.html
https://www.oracle.com/security-alerts/cpujan2026.html#AppendixMSQL

History

Wed, 11 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
Title		mysql: Parser unspecified vulnerability (CPU Jan 2026)
References		https://nvd.nist.gov/vuln/detail/CVE-2026-21952 https://www.cve.org/CVERecord?id=CVE-2026-21952 https://www.oracle.com/security-alerts/cpujan2026.html#AppendixMSQL
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 21 Jan 2026 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-400
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 20 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
First Time appeared		Oracle Oracle mysql Server
CPEs		cpe:2.3:a:oracle:mysql_server::::::::
Vendors & Products		Oracle Oracle mysql Server
References		https://www.oracle.com/security-alerts/cpujan2026.html
Metrics		cvssV3_1 `{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Oracle Mysql Server

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-01-20T21:56:30.311Z

Updated: 2026-01-21T15:23:16.511Z

Reserved: 2026-01-05T18:07:34.713Z

Link: CVE-2026-21952

Vulnrichment

Updated: 2026-01-21T15:20:37.734Z

NVD

Status : Analyzed

Published: 2026-01-20T22:15:58.230

Modified: 2026-01-29T15:28:21.610

Link: CVE-2026-21952

Redhat

Severity : Moderate

Publid Date: 2026-01-20T00:00:00Z

Links: CVE-2026-21952 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-18T15:45:04Z

Weaknesses

CWE-400

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object