Description
An issue was discovered in MariaDB Server before 11.4.10, 11.5.x through 11.8.x before 11.8.6, and 12.x before 12.2.2. If the caching_sha2_password authentication plugin is installed, and some user accounts are configured to use it, a large packet can crash the server because sha256_crypt_r uses alloca.
Published: 2026-04-03
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

A flaw exists in MariaDB Server versions before certain release points, affecting configurations that use the caching_sha2_password authentication plugin. Sending a specially crafted large packet triggers a crash because the sha256_crypt_r function allocates memory on the stack with alloca based on packet size, leading to a stack buffer overflow. The result is a denial of service, where the database process terminates and must be restarted, affecting availability for all users on the affected instance.

Affected Systems

The vulnerability applies to MariaDB Server from MariaDB across multiple series. Specifically, all 11.4.x releases older than 11.4.10, every 11.5.x release, every 11.6.x and 11.7.x release, all 11.8.x releases older than 11.8.6, and all 12.0.x, 12.1.x, and 12.2.x releases older than 12.2.2 are vulnerable when the caching_sha2_password plugin is enabled for any account.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate risk. No EPSS score is available, so the exploitation frequency is unclear. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. An attacker would need remote access to the MariaDB server and an account that authenticates via caching_sha2_password to send an oversized packet, making exposed or compromised database instances the most likely targets; isolated internal deployments are less vulnerable.

Generated by OpenCVE AI on April 3, 2026 at 07:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MariaDB to the latest available version in your release line.
  • If immediate upgrade is not possible, disable the caching_sha2_password plugin for all accounts or change accounts to use an alternative authentication plugin.

Generated by OpenCVE AI on April 3, 2026 at 07:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://jira.mariadb.org/browse/MDEV-38365 cve-icon cve-icon
History

Fri, 03 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Large Packet Crashes MariaDB Server via caching_sha2_password Plugin
First Time appeared Mariadb
Mariadb mariadb
Vendors & Products Mariadb
Mariadb mariadb

Fri, 03 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Description An issue was discovered in MariaDB Server before 11.4.10, 11.5.x through 11.8.x before 11.8.6, and 12.x before 12.2.2. If the caching_sha2_password authentication plugin is installed, and some user accounts are configured to use it, a large packet can crash the server because sha256_crypt_r uses alloca.
Weaknesses CWE-789
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Mariadb Mariadb
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-03T14:34:04.466Z

Reserved: 2026-04-03T05:00:17.626Z

Link: CVE-2026-35549

cve-icon Vulnrichment

Updated: 2026-04-03T14:33:57.055Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-03T05:16:23.160

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-35549

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:15:44Z

Weaknesses