CVE-2026-35549: 
MariaDB Server Analisi e mitigazione delle vulnerabilità

CVE-2026-35549 is a denial-of-service vulnerability in MariaDB Server's caching_sha2_password authentication plugin. When the plugin is installed and user accounts are configured to use it, a large packet can crash the server because sha256_crypt_r uses alloca, leading to memory allocation with an excessive size value. Affected versions include MariaDB Server before 11.4.10, 11.5.x through 11.8.x before 11.8.6, and 12.x before 12.2.2. It was published on April 3, 2026, and carries a CVSS v3.1 base score of 6.5 (Medium) (GitHub Advisory, Feedly).

The root cause is classified as CWE-789 (Memory Allocation with Excessive Size Value): the sha256_crypt_r function within the caching_sha2_password plugin uses alloca to allocate stack memory based on attacker-controlled input size, without enforcing an upper bound. An authenticated attacker with low privileges can send an oversized network packet during the authentication handshake, triggering a stack overflow or crash in the server process. Exploitation requires that the caching_sha2_password plugin be installed and at least one user account be configured to use it; without this precondition, the vulnerable code path is not reachable. The issue is tracked upstream as MDEV-38365 (GitHub Advisory, MariaDB JIRA).

Successful exploitation causes the MariaDB Server process to crash, resulting in a complete denial of service for all database clients. The impact is limited to availability — there is no confidentiality or integrity compromise, and no data exfiltration or modification is possible through this vulnerability. All users and applications relying on the affected MariaDB instance will lose database access until the service is restarted, potentially disrupting dependent applications and services (GitHub Advisory, Feedly).

Upgrade MariaDB Server to a patched version: 11.4.10 or later (for the 11.4.x branch), 11.8.6 or later (for the 11.5.x–11.8.x branch), or 12.2.2 or later (for the 12.x branch) (GitHub Advisory). If immediate patching is not feasible, consider disabling the caching_sha2_password authentication plugin or migrating affected user accounts to an alternative authentication plugin. Additionally, restrict network access to the MariaDB port (default 3306) using firewall rules to limit exposure to trusted hosts only, and enforce the principle of least privilege for database accounts. SUSE has released a security update (SUSE-SU-2026:2330-1) for affected SUSE Linux Enterprise packages (SUSE Advisory).

SUSE issued a security advisory (SUSE-SU-2026:2330-1) addressing this and other MariaDB vulnerabilities in their enterprise Linux packages (SUSE Advisory). Spain's INCIBE-CERT also published an early warning alert for the vulnerability (INCIBE-CERT). No notable independent researcher commentary or significant social media discussion has been identified for this vulnerability.