Description
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Published: 2026-04-21
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service (Complete DOS)
Action: Patch
AI Analysis

Impact

The vulnerability lies in the Optimizer component of Oracle MySQL Server. An attacker with high privileges who can reach the server over the network can exploit this flaw to cause the server to hang or repeatedly crash, leading to a complete denial of service. The flaw is rated with CVSS 3.1 base score 4.9, indicating an availability impact only. The weakness is associated with resource exhaustion (CWE-400) and improper resource allocation (CWE-770) under specific optimizer conditions.

Affected Systems

Affected versions are Oracle MySQL Server 8.0.0 through 8.0.45, 8.4.0 through 8.4.8, and 9.0.0 through 9.6.0. These versions run on any platform supported by Oracle MySQL Server.

Risk and Exploitability

The CVSS indicates an availability impact only. The flaw involves resource exhaustion (CWE-400) and improper allocation (CWE-770). The EPSS score is < 1%, suggesting a very low likelihood of exploitation observed to date. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is network‑based (AV:N) with multiple protocols, and requires high privileges (PR:H). Because the flaw can be triggered remotely, administrators should treat it as an immediate risk to service availability, especially in environments where the database is critical.

Generated by OpenCVE AI on April 28, 2026 at 16:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle MySQL Server security patch released in the CPU Apr 2026 advisory to close the optimizer vulnerability.
  • Upgrade to a MySQL Server version newer than 9.6.0 if available, or to a version that is no longer affected by this flaw.
  • Limit network exposure by restricting inbound connections to the MySQL Server to trusted hosts and by disabling unnecessary network protocols.

Generated by OpenCVE AI on April 28, 2026 at 16:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-787

Thu, 23 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Optimizer Vulnerability in Oracle MySQL Server mysql: Optimizer unspecified vulnerability (CPU Apr 2026)
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Optimizer Vulnerability in Oracle MySQL Server
Weaknesses CWE-119
CWE-787

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
First Time appeared Oracle
Oracle mysql Server
CPEs cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle mysql Server
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Oracle Mysql Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T14:09:22.952Z

Reserved: 2026-01-05T18:07:34.725Z

Link: CVE-2026-22002

cve-icon Vulnrichment

Updated: 2026-04-22T14:09:15.447Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T21:16:25.453

Modified: 2026-04-23T15:04:10.053

Link: CVE-2026-22002

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-21T00:00:00Z

Links: CVE-2026-22002 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T16:15:20Z

Weaknesses