CVE-2026-34303: 
MySQL Analisi e mitigazione delle vulnerabilità

CVE-2026-34303 is a Denial of Service vulnerability in the MySQL Server Optimizer component of Oracle MySQL. It affects MySQL Server versions 8.0.0–8.0.45, 8.4.0–8.4.8, and 9.0.0–9.6.0. The vulnerability was disclosed on April 21, 2026, as part of Oracle's April 2026 Critical Patch Update, and was reported to Oracle by Anton Fedorov. It carries a CVSS v3.1 base score of 6.5 (Medium) (Oracle CPU Apr 2026, GitHub Advisory).

The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption), residing in the MySQL Server's Optimizer component. A low-privileged attacker with network access can exploit this flaw via multiple protocols (e.g., MySQL protocol over TCP) without requiring user interaction, triggering uncontrolled resource consumption that causes the server to hang or crash repeatedly. The low attack complexity and minimal privilege requirement (any valid database account) make this straightforward to trigger, though no public proof-of-concept code has been identified (Oracle CPU Apr 2026, GitHub Advisory).

Successful exploitation results in a complete Denial of Service (DoS) of the MySQL Server — the server hangs or crashes in a frequently repeatable manner, rendering the database entirely unavailable. There is no impact on confidentiality or data integrity; the sole consequence is high availability impact. Any application or service dependent on the affected MySQL instance would experience outages for the duration of the attack (Oracle CPU Apr 2026).

Oracle has released patches for this vulnerability as part of the April 2026 Critical Patch Update. Administrators should upgrade MySQL Server to versions beyond 8.0.45, 8.4.8, and 9.6.0 respectively (i.e., apply the patched releases provided by Oracle). As a temporary workaround, restrict network access to the MySQL Server to only authorized, trusted users and systems, and consider implementing query complexity controls or connection rate limiting to reduce exposure. Oracle strongly recommends applying the Critical Patch Update patches as soon as possible rather than relying on network-level mitigations long-term (Oracle CPU Apr 2026, GitHub Advisory).

Downstream Linux distributions and vendors — including Red Hat, SUSE, openSUSE, Amazon Linux 2023, and FreeBSD — have issued their own security advisories and package updates addressing CVE-2026-34303 as part of broader MySQL update rollups. No notable independent researcher commentary or significant social media discussion specific to this vulnerability has been identified beyond routine vulnerability tracking and scanner plugin updates from Tenable (Nessus) and Qualys.