CVE-2026-35237: 
MySQL Analisi e mitigazione delle vulnerabilità

CVE-2026-35237 is a Denial of Service vulnerability in the InnoDB component of Oracle MySQL Server, disclosed as part of Oracle's Critical Patch Update (CPU) for April 2026. It affects MySQL Server versions 8.0.0–8.0.45, 8.4.0–8.4.8, and 9.0.0–9.6.0. The vulnerability allows a high-privileged attacker with network access to cause the MySQL Server to hang or crash repeatedly, resulting in a complete denial of service. It carries a CVSS v3.1 base score of 4.9 (Medium) (Oracle CPU Apr 2026, Github Advisory).

The vulnerability is classified under CWE-284 (Improper Access Control), indicating that the InnoDB storage engine component does not properly restrict access to or handling of certain operations, which can be triggered by a high-privileged attacker over the network (Github Advisory). The attack vector is network-based, requires no user interaction, and has low attack complexity, though it does require high privileges (e.g., a valid MySQL administrative or privileged account). Oracle has not publicly disclosed the specific technical root cause or the precise operations that trigger the hang or crash. No public proof-of-concept or detailed technical write-up has been identified at this time (Oracle CPU Apr 2026).

Successful exploitation results exclusively in an availability impact — specifically, the ability to cause MySQL Server to hang or crash in a frequently repeatable manner, constituting a complete denial of service of the database engine. There is no impact on confidentiality or data integrity, and the scope is unchanged (limited to the affected MySQL Server instance). In environments where MySQL Server underpins critical applications, repeated exploitation could render dependent services unavailable, though lateral movement or data exfiltration are not associated with this vulnerability (Oracle CPU Apr 2026).

Oracle has addressed this vulnerability in the April 2026 Critical Patch Update (CPU). Administrators should upgrade MySQL Server to versions beyond the affected ranges: 8.0.46+, 8.4.9+, or 9.6.1+ as applicable to their deployment (Oracle CPU Apr 2026). As interim mitigations, Oracle recommends restricting network access to MySQL Server to trusted hosts and users only, and removing unnecessary high-privilege accounts to reduce the attack surface. Network segmentation and firewall rules limiting MySQL port (default 3306) exposure can further reduce risk until patching is complete.

Oracle addressed this vulnerability as part of its April 2026 CPU, which included 481 new security patches across its product families. Red Hat has issued errata (RHSA-2026:20693, RHSA-2026:23332, RHSA-2026:25052) addressing this CVE for affected MySQL packages in RHEL distributions (Oracle CPU Apr 2026). FreeBSD and other Linux distributions have also issued advisories. No notable independent researcher commentary or significant social media discussion has been identified for this specific CVE, consistent with its moderate severity and lack of public exploit code.