Description
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Published: 2026-04-21
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patches
AI Analysis

Impact

Oracle MySQL Server contains a flaw in its InnoDB storage engine that lets a high‑privileged attacker, who can reach the database system over network protocols, force the server to hang or crash repeatedly. This results in a complete denial of service for all users of the affected database, without impacting confidentiality or integrity.

Affected Systems

Oracle MySQL Server versions 8.0.0 through 8.0.45, 8.4.0 through 8.4.8, and 9.0.0 through 9.6.0 are impacted.

Risk and Exploitability

The CVSS 3.1 base score of 4.9 indicates moderate severity for an availability impact. Exploitability requires high privileges and network connectivity. The EPSS score of less than 1% indicates a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. An attacker that succeeds can trigger a repeatable crash of the MySQL server, causing a full denial of service to all connected clients.

Generated by OpenCVE AI on April 29, 2026 at 01:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle MySQL Server patch available after the 2026‑April security advisory, which removes the InnoDB crash vulnerability.
  • Limit network access to the MySQL server by configuring firewall rules to allow connections only from trusted hosts or IP addresses.
  • Disable unused network protocols and enforce strict firewall rules to reduce the attack surface until a patch is applied.
  • Monitor MySQL server logs and system metrics for abnormal hang or crash patterns, and alert administrators when repeated failures occur.

Generated by OpenCVE AI on April 29, 2026 at 01:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-665

Thu, 23 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title InnoDB Storage Engine Crash Causes Availability Denial of Service in Oracle MySQL mysql: InnoDB unspecified vulnerability (CPU Apr 2026)
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Title InnoDB Storage Engine Crash Causes Availability Denial of Service in Oracle MySQL
Weaknesses CWE-400
CWE-665

Wed, 22 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Title Denial of Service via InnoDB Exploit in Oracle MySQL Server
Weaknesses CWE-1010

Wed, 22 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Title Denial of Service via InnoDB Exploit in Oracle MySQL Server
Weaknesses CWE-1010

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
First Time appeared Oracle
Oracle mysql Server
CPEs cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle mysql Server
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Oracle Mysql Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T13:26:47.898Z

Reserved: 2026-03-26T19:48:45.679Z

Link: CVE-2026-34304

cve-icon Vulnrichment

Updated: 2026-04-22T13:26:37.190Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T21:16:35.690

Modified: 2026-04-23T15:10:07.963

Link: CVE-2026-34304

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-21T00:00:00Z

Links: CVE-2026-34304 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:00:27Z

Weaknesses