Description
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Published: 2026-04-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Availability
Action: Patch Now
AI Analysis

Impact

A flaw in the optimizer component of Oracle MySQL Server allows a low‑privileged attacker who can reach the server over the network to trigger a hang or repeatable crash, causing a denial of service. The weakness results in the server becoming unresponsive, which directly impacts availability while leaving confidentiality and integrity unaltered. The weakness corresponds to CWE-400, and CWE-770.

Affected Systems

Oracle MySQL Server versions 8.0.0 through 8.0.45, 8.4.0 through 8.4.8, and 9.0.0 through 9.6.0 contain the vulnerable optimizer component.

Risk and Exploitability

The vulnerability has a moderate CVSS v3.1 base score of 6.5, indicating a meaningful availability impact. Exploitation is feasible over the network using multiple protocols and requires only low privileged access with no user interaction. No exploitation data is publicly documented, the EPSS score is <1%, and the flaw is not listed in CISA’s KEV catalog, suggesting that public attacks have not yet been observed.

Generated by OpenCVE AI on April 28, 2026 at 16:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle MySQL Server security patch that fixes the optimizer flaw
  • If a patch cannot be applied immediately, restrict network access to MySQL ports (e.g., 3306) by using firewall rules or network segmentation to limit connections to trusted hosts
  • Configure server resource limits or fail‑over mechanisms to reduce the impact of repeated crashes

Generated by OpenCVE AI on April 28, 2026 at 16:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-399

Thu, 23 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Optimizer Component in Oracle MySQL Server mysql: Optimizer unspecified vulnerability (CPU Apr 2026)
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Title Denial of Service via Optimizer Component in Oracle MySQL Server
Weaknesses CWE-399
CWE-770

Wed, 22 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Title MySQL Server Optimizer Denial of Service via Low-Privilege Network Access
Weaknesses CWE-399
CWE-770

Wed, 22 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Title MySQL Server Optimizer Denial of Service via Low-Privilege Network Access
Weaknesses CWE-399
CWE-770

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
First Time appeared Oracle
Oracle mysql Server
CPEs cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle mysql Server
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Oracle Mysql Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T13:36:48.167Z

Reserved: 2026-01-05T18:07:34.726Z

Link: CVE-2026-22009

cve-icon Vulnrichment

Updated: 2026-04-22T13:36:43.611Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T21:16:27.353

Modified: 2026-04-23T15:02:49.753

Link: CVE-2026-22009

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-21T00:00:00Z

Links: CVE-2026-22009 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T16:15:20Z

Weaknesses