CVE-2026-35239: 
MySQL Analisi e mitigazione delle vulnerabilità

CVE-2026-35239 is a Denial of Service vulnerability in the DML (Data Manipulation Language) component of Oracle MySQL Server. It affects MySQL Server versions 8.0.0–8.0.45, 8.4.0–8.4.8, and 9.0.0–9.6.0. The vulnerability was disclosed on April 21, 2026, as part of Oracle's April 2026 Critical Patch Update. It carries a CVSS v3.1 base score of 4.9 (Medium) (Oracle Advisory, GitHub Advisory).

The vulnerability is classified under CWE-284 (Improper Access Control), indicating that the MySQL Server DML component does not properly restrict access to or handling of certain operations by high-privileged users (GitHub Advisory). An attacker with high privileges and network access can send malicious DML commands via multiple protocols (e.g., MySQL protocol, X Protocol) that cause the server to hang or crash repeatedly. No user interaction is required, and the attack complexity is low, making it straightforward to trigger once the attacker has the necessary credentials. No public technical write-ups or proof-of-concept code have been identified at this time (Feedly).

Successful exploitation results in a complete Denial of Service (DoS) of the MySQL Server — the server may hang indefinitely or crash in a frequently repeatable manner, disrupting all database-dependent applications and services. There is no impact on confidentiality or data integrity; the sole impact is on availability. Because MySQL Server is commonly a backend for critical business applications, prolonged outages could cause significant operational disruption (Oracle Advisory).

Oracle has released patches for all affected branches as part of the April 2026 Critical Patch Update (CPUapr2026). Administrators should upgrade to MySQL Server 8.0.46 or later (8.0.x branch), 8.4.9 or later (8.4.x branch), or 9.6.1 or later (9.x branch) (Oracle Advisory). As a temporary workaround, restrict network access to the MySQL Server and limit high-privileged account usage to trusted, internal sources only. Oracle strongly recommends applying the patch without delay rather than relying on network-level mitigations as a long-term solution.

Oracle addressed this vulnerability as part of its quarterly Critical Patch Update cycle, which included 481 new security patches across product families (Oracle Advisory). Red Hat subsequently issued errata (RHSA-2026:20693, RHSA-2026:23332, RHSA-2026:25052) addressing this CVE in their MySQL packages, and FreeBSD also published a VuXML advisory (Feedly). No notable independent researcher commentary or significant social media discussion has been identified for this specific CVE.