Description
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
Published: 2026-04-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists in the Optimizer component of Oracle MySQL Server. A low privileged attacker with network access can trigger a crash or hang in the server, leading to a complete denial of service. The primary impact is loss of availability; confidentiality and integrity are not directly affected.

Affected Systems

Oracle Corporation’s MySQL Server versions 9.0.0 through 9.6.0 are affected. These versions are commonly deployed in web and application environments that rely on MySQL for backend storage.

Risk and Exploitability

The CVSS 3.1 base score of 6.5 indicates moderate severity, with the availability dimension rated high while confidentiality and integrity remain unaffected. The EPSS score is not available, and the vulnerability is not yet listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation yet. However, the attack vector is network based, requires low privileges, and thus the risk of successful exploitation remains significant for exposed MySQL instances.

Generated by OpenCVE AI on April 22, 2026 at 05:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Oracle MySQL Server to the latest release that includes the security fix for the Optimizer bug
  • Restrict network access to the MySQL service by configuring firewall rules to allow only trusted IPs, thereby reducing the attack surface for low‑privileged attackers
  • Continuously monitor MySQL logs and system metrics for signs of repeated crashes or abnormal query traffic, and implement automated alerts or scheduled restarts to maintain availability

Generated by OpenCVE AI on April 22, 2026 at 05:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
Title MySQL Server Optimizer Component Denial of Service via Low-Privilege Network Exploit
Weaknesses CWE-399
CWE-400

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
First Time appeared Oracle
Oracle mysql Server
CPEs cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle mysql Server
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Oracle Mysql Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T13:52:28.795Z

Reserved: 2026-03-26T19:48:45.674Z

Link: CVE-2026-34272

cve-icon Vulnrichment

Updated: 2026-04-22T13:52:21.450Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-21T21:16:31.087

Modified: 2026-04-22T21:24:26.997

Link: CVE-2026-34272

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T05:15:06Z

Weaknesses