CVE-2025-21501: 
MySQL vulnerability analysis and mitigation

CVE-2025-21501 is a vulnerability in Oracle MySQL Server's Optimizer component affecting versions 8.0.40 and prior, 8.4.3 and prior, and 9.1.0 and prior. The vulnerability was discovered by Jie Liang of WingTecher Lab of Tsinghua University and was publicly disclosed on January 21, 2025 (NVD, Oracle CPU).

This is an easily exploitable vulnerability that allows low-privileged attackers with network access to compromise MySQL Server through multiple protocols. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (Medium severity) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability is associated with CWE-770 (Allocation of Resources Without Limits or Throttling) (NVD).

Successful exploitation of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash, leading to a complete denial of service (DoS) of MySQL Server. The vulnerability impacts only the availability of the system, with no direct effects on confidentiality or integrity (NVD).

Oracle has released patches for affected versions in the January 2025 Critical Patch Update. Ubuntu has also released security updates to address this vulnerability, updating MySQL to version 8.0.41 for Ubuntu 20.04 LTS, 22.04 LTS, 24.04 LTS, and 24.10 (Ubuntu Notice).