Wiz
Base de données de vulnérabilitésCVE-2026-35240

CVE-2026-35240
MySQL Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-35240 is a denial-of-service vulnerability in the MySQL Server Optimizer component of Oracle MySQL. It affects MySQL Server versions 8.0.0–8.0.45, 8.4.0–8.4.8, and 9.0.0–9.6.0. The vulnerability was disclosed on April 21, 2026, as part of Oracle's April 2026 Critical Patch Update. It carries a CVSS v3.1 base score of 4.9 (Medium), reflecting an availability-only impact requiring high privileges (Oracle Advisory, GitHub Advisory).

Détails techniques

The vulnerability is classified under CWE-284 (Improper Access Control) and resides in the MySQL Server's Optimizer component, which is responsible for query execution planning (GitHub Advisory). A high-privileged attacker with network access can send crafted queries over multiple protocols (e.g., MySQL protocol, X Protocol) that trigger a hang or repeatedly crash the MySQL Server process. No user interaction is required, and the attack complexity is low, making it straightforward to execute once the attacker has the necessary database credentials. The vulnerability was reported to Oracle by researcher "yx" (Oracle Advisory).

Impact

Successful exploitation results in a complete denial of service — the MySQL Server either hangs indefinitely or crashes in a frequently repeatable manner, rendering the database entirely unavailable. There is no impact on confidentiality or data integrity; the sole consequence is loss of availability of the database service. Organizations relying on MySQL for critical applications could experience significant service disruption if a high-privileged account is compromised or misused (Oracle Advisory, GitHub Advisory).

Atténuation et solutions de contournement

Oracle has released patches for all affected versions as part of the April 2026 Critical Patch Update; administrators should upgrade MySQL Server to versions beyond 8.0.45, 8.4.8, and 9.6.0 respectively (Oracle Advisory). As interim mitigations, restrict network access to the MySQL Server to trusted hosts only, and apply the principle of least privilege by limiting which accounts have high-privilege query execution capabilities. Oracle strongly recommends applying the Critical Patch Update patches without delay rather than relying on network-level workarounds as a long-term solution.

Ressources additionnelles

SourceCe rapport a été généré à l’aide de l’IA

Apparenté MySQL Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-35240MEDIUM4.9
  • MySQLMySQL
  • mysql
NonOuiApr 21, 2026
CVE-2026-35239MEDIUM4.9
  • MySQLMySQL
  • mysql-libs
NonOuiApr 21, 2026
CVE-2026-35238MEDIUM4.9
  • MySQLMySQL
  • mysql8.4-test-debuginfo
NonOuiApr 21, 2026
CVE-2026-35237MEDIUM4.9
  • MySQLMySQL
  • mysql:8.0::mysql-devel
NonOuiApr 21, 2026
CVE-2026-35236MEDIUM4.9
  • MySQLMySQL
  • mysql-devel
NonOuiApr 21, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Ressources Wiz supplémentaires

PEACH

PEACH

Un cadre d’isolation des locataires

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités
Demander une démo