CVE-2023-52968: 
MariaDB Server vulnerability analysis and mitigation

MariaDB Server versions 10.4 before 10.4.33, 10.5 before 10.5.24, 10.6 before 10.6.17, 10.7 through 10.11 before 10.11.7, 11.0 before 11.0.5, and 11.1 before 11.1.4 contain a vulnerability where the server calls fixfieldsifneeded under mysqlderivedprepare when derived is not yet prepared, leading to a findfieldintable crash. The vulnerability was disclosed in March 2025 and has been assigned CVE-2023-52968 (NVD).

The vulnerability is related to incorrect behavior order (CWE-696) in the MariaDB server's handling of derived table preparation. When the server processes certain SQL queries involving derived tables, it calls the fixfieldsifneeded function before the derived table is properly prepared, resulting in a crash in the findfieldintable function. The vulnerability has been assigned a CVSS v3.1 base score of 4.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H (NVD).

The primary impact of this vulnerability is a denial of service condition through server crashes. When exploited, the vulnerability affects the availability of the MariaDB server by causing it to crash during the processing of specific SQL queries involving derived tables (MariaDB Jira).

The vulnerability has been fixed in MariaDB versions 10.4.33, 10.5.24, 10.6.17, 10.11.7, 11.0.5, 11.1.4, 11.2.3, 11.3.2, and 11.4.1. Users are advised to upgrade to these or later versions to address the vulnerability (MariaDB Jira).