CVE-2026-21968: 
MySQL Analisi e mitigazione delle vulnerabilità

CVE-2026-21968 is a Denial of Service vulnerability in the MySQL Server Optimizer component, affecting Oracle MySQL Server versions 8.0.0–8.0.44, 8.4.0–8.4.7, and 9.0.0–9.5.0. The vulnerability was disclosed on January 20, 2026, as part of Oracle's Critical Patch Update (CPU) for January 2026. It was reported to Oracle by Anton Fedorov. The vulnerability carries a CVSS v3.1 base score of 6.5 (Medium) (Oracle CPU Jan 2026, Feedly).

The vulnerability resides in the MySQL Server Optimizer component and is classified as an easily exploitable flaw that allows a low-privileged attacker with network access via multiple protocols to cause the MySQL Server process to hang or crash repeatedly. The root cause is not publicly detailed beyond the Optimizer component, and no CWE classification has been formally assigned. Exploitation requires only a valid low-privileged database account and network connectivity — no user interaction is needed. No public technical write-ups or proof-of-concept code have been identified (Oracle CPU Jan 2026).

Successful exploitation results in a complete Denial of Service (DoS) of the MySQL Server, causing it to hang or crash in a frequently repeatable manner, with no impact on confidentiality or integrity. The availability impact is rated High, meaning the database service becomes entirely unavailable to legitimate users and applications. This could disrupt dependent applications, business processes, and services relying on the affected MySQL instance (Oracle CPU Jan 2026).

Oracle has released patched versions addressing this vulnerability: MySQL Server 8.0.45+, 8.4.8+, and 9.6.0+. IBM has also released a patch for affected IBM API Connect deployments in April 2026. As interim mitigations, organizations should implement network access controls to restrict MySQL connectivity to trusted hosts only, limit low-privileged account permissions to necessary operations, and monitor for unusual query patterns or repeated server crashes. Oracle strongly recommends applying the Critical Patch Update patches without delay (Oracle CPU Jan 2026, IBM Advisory).

The vulnerability received routine coverage as part of Oracle's January 2026 Critical Patch Update, which addressed 337 security patches across Oracle product families. Red Hat, AlmaLinux, Rocky Linux, Debian, and Oracle Linux have all issued downstream advisories and errata addressing this CVE in their MySQL packages. No notable independent researcher commentary or significant social media discussion specific to this CVE has been identified (Oracle CPU Jan 2026).