Description
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Thread Pooling). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Published: 2026-01-20
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability lies in the Thread Pooling component of Oracle MySQL Server and allows a high privileged attacker with network access through various protocols to cause the database server to hang or repeatedly crash, resulting in a complete denial of service for legitimate users. The weakness can be inferred as uncontrolled resource consumption (CWE‑770).

Affected Systems

Affected versions include Oracle MySQL Server 8.0.0 through 8.0.44, 8.4.0 through 8.4.7, and 9.0.0 through 9.5.0. All installations of these versions that enable Thread Pooling are potentially vulnerable.

Risk and Exploitability

The CVSS 3.1 base score of 4.9 indicates a moderate severity focused on availability; the EPSS score of less than 1 % suggests that exploitation is unlikely at present, and the vulnerability is not listed in CISA’s KEV catalog. The likelihood of exploitation in the wild is low, but the attack vector requires remote network connectivity and attacker privileges at the database level, which may be granted to application users in many environments. The primary risk is an availability outage that could impact business operations.

Generated by OpenCVE AI on April 18, 2026 at 15:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the Oracle security update for MySQL Server that fixes the Thread Pooling issue as detailed in the January 2026 CPU advisory.
  • Restrict inbound traffic to the MySQL port (default 3306) to trusted IP ranges or employ firewall rules to limit exposure to authorized hosts.
  • Consider disabling or reducing thread pooling settings until a patched version is deployed, and monitor server health to restart the process promptly after crashes.

Generated by OpenCVE AI on April 18, 2026 at 15:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-7994-1 MySQL vulnerabilities
History

Sat, 18 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770

Wed, 11 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Title mysql: Thread Pooling unspecified vulnerability (CPU Jan 2026)
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 29 Jan 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Oracle mysql
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
Vendors & Products Oracle mysql

Wed, 21 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Thread Pooling). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
First Time appeared Oracle
Oracle mysql Server
CPEs cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle mysql Server
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Oracle Mysql Mysql Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-01-21T20:04:13.585Z

Reserved: 2026-01-05T18:07:34.714Z

Link: CVE-2026-21964

cve-icon Vulnrichment

Updated: 2026-01-21T20:01:22.130Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T22:15:59.350

Modified: 2026-01-29T14:49:09.600

Link: CVE-2026-21964

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-20T00:00:00Z

Links: CVE-2026-21964 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:45:04Z

Weaknesses