Description
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Published: 2026-04-21
Score: 4.9 Medium
EPSS: n/a
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the InnoDB component of Oracle MySQL Server and allows a high‑privileged attacker with network access through multiple protocols to trigger a hang or a complete crash of the database engine. According to the CVSS vector, the flaw directly affects availability and does not provide confidentiality or integrity loss. The impact manifests as an unresponsive or crashing MySQL instance, disrupting any services that depend on it.

Affected Systems

Oracle MySQL Server versions 8.0.0 through 8.0.45, 8.4.0 through 8.4.8, and 9.0.0 through 9.6.0 are affected. The issue is specific to the InnoDB storage engine in these releases.

Risk and Exploitability

The CVSS base score of 4.9 indicates a medium‑severity availability flaw. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting the likelihood of exploitation is low to moderate. Exploitation requires the attacker already have high privileges and network connectivity to the MySQL instance; from there they can send specially crafted packets or queries that cause the engine to hang or crash.

Generated by OpenCVE AI on April 22, 2026 at 06:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Oracle MySQL Server to the most recent patch level that addresses the InnoDB denial of service vulnerability.
  • If a patch cannot be applied immediately, restrict network access to the MySQL service to only trusted hosts or apply firewall rules to block the protocols that can trigger the crash.
  • Monitor the database logs and system metrics for repeated hangs or restarts, and investigate any sudden availability loss promptly.

Generated by OpenCVE AI on April 22, 2026 at 06:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 06:45:00 +0000

Type Values Removed Values Added
Title InnoDB Denial of Service Vulnerability in Oracle MySQL Server
Weaknesses CWE-400

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
First Time appeared Oracle
Oracle mysql Server
CPEs cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle mysql Server
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Oracle Mysql Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-21T20:35:47.606Z

Reserved: 2026-04-01T20:03:40.833Z

Link: CVE-2026-35238

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:39.557

Modified: 2026-04-21T21:16:39.557

Link: CVE-2026-35238

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:30:10Z

Weaknesses