Description
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Published: 2026-01-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The vulnerability resides in the optimizer component of Oracle MySQL Server and enables a low‑privileged attacker with network access to trigger a server hang or crash repeatedly, resulting in a denial of service. The attack does not provide data exfiltration or privilege escalation; its primary impact is availability reduction due to frequent failures of the database server.

Affected Systems

Oracle MySQL Server is affected in versions 8.0.0 through 8.0.44, 8.4.0 through 8.4.7, and 9.0.0 through 9.5.0. These ranges encompass the major 8.0, 8.4, and 9.x series of the product.

Risk and Exploitability

The CVSS 3.1 base score of 6.5 indicates moderate severity with an availability impact only. Based on the description, it is inferred that the attack vector is network‑based and can be executed via any protocol that talks to the optimizer interface. The EPSS score of <1% reflects a very low predicted exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no known active exploits. The overall risk is moderate availability disruption, requiring appropriate mitigation.

Generated by OpenCVE AI on April 18, 2026 at 19:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle patch released in the January 2026 CPU advisory to upgrade MySQL Server to the latest releases beyond 8.0.44, 8.4.7, and 9.5.0.
  • Restrict network access to the MySQL Server by configuring firewall rules or network segmentation so that only trusted hosts can communicate with the optimizer interface.
  • Enable monitoring of MySQL Server status and alert on recurrent hangs or crashes to detect potential exploitation attempts promptly.

Generated by OpenCVE AI on April 18, 2026 at 19:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-7994-1 MySQL vulnerabilities
History

Wed, 11 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Title mysql: Optimizer unspecified vulnerability (CPU Jan 2026)
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 29 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Wed, 21 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
First Time appeared Oracle
Oracle mysql Server
CPEs cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle mysql Server
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Oracle Mysql Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-01-21T19:21:31.349Z

Reserved: 2026-01-05T18:07:34.714Z

Link: CVE-2026-21968

cve-icon Vulnrichment

Updated: 2026-01-21T19:20:40.829Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T22:15:59.853

Modified: 2026-01-29T15:26:57.960

Link: CVE-2026-21968

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-20T00:00:00Z

Links: CVE-2026-21968 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:00:09Z

Weaknesses