CVE-2026-21998 - Vulnerability Details

- Denial-of-Service via Optimizer Component Crash in Oracle MySQL Server

Description

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Published: 2026-04-21

Score: 4.9 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Vulnerability discovered in the Optimizer component of Oracle MySQL Server allows an attacker with high privileges to trigger a hang or crash, resulting in a denial of service. The flaw is exploitable over the network using any supported protocol and requires an attacker to possess elevated privileges. Once triggered, the server becomes unavailable, impacting only availability with no direct effect on confidentiality or integrity. The CVSS 3.1 base score of 4.9 reflects a low to medium severity availability vulnerability.

Affected Systems

Oracle MySQL Server versions 8.0.0 through 8.0.45, 8.4.0 through 8.4.8, and 9.0.0 through 9.6.0 are vulnerable. Users running these releases should verify their deployment against the Oracle CPU April 2026 advisory.

Risk and Exploitability

Because the CVSS score indicates moderate availability impact and the EPSS is not available, the exploitation likelihood is uncertain but not considered high. The vulnerability is not listed in the CISA KEV catalog, indicating no confirmed widespread exploitation. An attacker with network connectivity and elevated privileges could exploit the flaw by sending malformed optimizer requests, leading to a crash. Standard denial‑of‑service defenses such as monitoring for repeated crashes and restricting privileged network access mitigate the risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

MySQL Server

affected

Version	Status	Constraints
`8.0.0`	affected	≤ 8.0.45
`8.4.0`	affected	≤ 8.4.8
`9.0.0`	affected	≤ 9.6.0

No data.

Vendor Product Confidence Versions

Oracle

Mysql Server

95%

Version	Status	Scheme	Platform
`[8.0.0,8.0.45]`	affected	semver	—
`[8.4.0,8.4.8]`	affected	semver	—
`[9.0.0,9.6.0]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Oracle MySQL Server to a non‑vulnerable release (8.0.46+, 8.4.9+, or 9.6.1+).
Restrict privileged network access to the MySQL Server and enforce the principle of least privilege for client accounts.
Implement monitoring for unexpected hangs or crashes and configure alerting to detect repeatable denial‑of‑service patterns.

Generated by OpenCVE AI on April 22, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cpuapr2026.html

History

Wed, 22 Apr 2026 03:15:00 +0000

Type	Values Removed	Values Added
Title		Denial-of-Service via Optimizer Component Crash in Oracle MySQL Server
Weaknesses		CWE-400

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
First Time appeared		Oracle Oracle mysql Server
CPEs		cpe:2.3:a:oracle:mysql_server::::::::
Vendors & Products		Oracle Oracle mysql Server
References		https://www.oracle.com/security-alerts/cpuapr2026.html
Metrics		cvssV3_1 `{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Oracle Mysql Server

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-04-21T20:34:59.321Z

Updated: 2026-04-21T20:34:59.321Z

Reserved: 2026-01-05T18:07:34.723Z

Link: CVE-2026-21998

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-21T21:16:24.863

Modified: 2026-04-21T21:16:24.863

Link: CVE-2026-21998

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T05:30:09Z

Weaknesses

CWE-400

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object