Description
Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Shell executes to compromise MySQL Shell. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Shell. CVSS 3.1 Base Score 5.0 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H).
Published: 2026-04-21
Score: 5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the core client component of Oracle MySQL Shell. It allows a low‑privileged user who can log onto the system where the shell runs to cause the application to hang or crash repeatedly. A successful exploitation results only in an availability impact, with no modification of data or confidentiality compromise.

Affected Systems

Affected versions are Oracle MySQL Shell 8.0.0 through 8.0.45, 8.4.0 through 8.4.8, and 9.0.0 through 9.6.0. The flaw exists in the Shell: Core Client component of Oracle MySQL Shell distributed by Oracle.

Risk and Exploitability

The CVSS base score is 5.0, indicating moderate impact on availability. Exploitation requires local access with low privilege levels, and a person other than the attacker must provide user interaction. The EPSS score is < 1%, indicating a very low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw causes a denial of service, an attacker who can obtain local access can disrupt database operations, though no data loss or unauthorized access occurs.

Generated by OpenCVE AI on April 29, 2026 at 00:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle patch or upgrade to a non‑affected MySQL Shell release as detailed in the security advisory, which addresses the underlying resource handling flaws.
  • Restrict local access to MySQL Shell so that only authorized administrators can run it, and limit the number of concurrent instances through OS‑level resource controls (e.g., ulimit, cgroups) to reduce uncontrolled resource consumption.
  • Configure or review service start‑up scripts to ensure MySQL Shell is initialized before use and that cleanup routines are executed at exit, thereby preventing resource leaks and improper shutdown.
  • Monitor MySQL Shell logs for crash patterns and schedule automated restarts or apply watchdog mechanisms to maintain availability.

Generated by OpenCVE AI on April 29, 2026 at 00:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Ubuntu USN Ubuntu USN USN-8363-1 MySQL vulnerabilities
Ubuntu USN Ubuntu USN USN-8363-2 MySQL vulnerabilities
History

Tue, 05 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Oracle mysql
CPEs cpe:2.3:a:oracle:mysql:*:*:*:*:*:*:*:*
Vendors & Products Oracle mysql

Wed, 29 Apr 2026 00:45:00 +0000

Type Values Removed Values Added
Title Denial of Service via Uncontrolled Crash in Oracle MySQL Shell

Tue, 28 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Title Low-Privilege Local Denial of Service in Oracle MySQL Shell
Weaknesses CWE-400
CWE-689

Thu, 23 Apr 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-404

Wed, 22 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
Title Low-Privilege Local Denial of Service in Oracle MySQL Shell
Weaknesses CWE-400
CWE-689

Wed, 22 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Title MySQL Shell Local Denial of Service
Weaknesses CWE-201

Wed, 22 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Title MySQL Shell Local Denial of Service
Weaknesses CWE-201

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Shell executes to compromise MySQL Shell. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Shell. CVSS 3.1 Base Score 5.0 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H).
First Time appeared Oracle
Oracle mysql Shell
CPEs cpe:2.3:a:oracle:mysql_shell:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle mysql Shell
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

Oracle Mysql Mysql Shell
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T13:16:12.618Z

Reserved: 2026-03-26T19:48:45.681Z

Link: CVE-2026-34317

cve-icon Vulnrichment

Updated: 2026-04-22T13:15:55.674Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T21:16:37.183

Modified: 2026-05-05T16:33:37.113

Link: CVE-2026-34317

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T00:30:16Z

Weaknesses