CVE-2026-21998 Overview
CVE-2026-21998 is a Denial of Service vulnerability affecting the MySQL Server product of Oracle MySQL, specifically within the Server: Optimizer component. This vulnerability allows a highly privileged attacker with network access to cause a complete denial of service condition, resulting in a hang or frequently repeatable crash of the MySQL Server.
Critical Impact
Successful exploitation enables attackers to completely disrupt database availability, causing service outages that can impact dependent applications and business operations.
Affected Products
- Oracle MySQL Server 8.0.0 through 8.0.45
- Oracle MySQL Server 8.4.0 through 8.4.8
- Oracle MySQL Server 9.0.0 through 9.6.0
Discovery Timeline
- April 21, 2026 - CVE-2026-21998 published to NVD
- April 23, 2026 - Last updated in NVD database
Technical Details for CVE-2026-21998
Vulnerability Analysis
This vulnerability resides in the MySQL Server's Optimizer component, which is responsible for determining the most efficient execution plan for SQL queries. The flaw is classified under CWE-400 (Uncontrolled Resource Consumption), indicating that the vulnerability involves improper handling of resource allocation that can be exploited to exhaust system resources.
The vulnerability is easily exploitable but requires the attacker to have high privileges on the MySQL Server. Once exploited, the attack results in an availability impact only—there is no compromise of data confidentiality or integrity. The attack can be executed remotely via network access using multiple protocols supported by MySQL.
Root Cause
The root cause of CVE-2026-21998 lies in the MySQL Server's query optimizer, which fails to properly validate or limit resource consumption during query optimization processes. This resource exhaustion vulnerability (CWE-400) allows specially crafted queries to trigger excessive resource usage, leading to a denial of service condition.
When the optimizer processes certain malformed or complex query structures, it can enter a state where it consumes excessive CPU, memory, or other system resources, ultimately causing the server to hang or crash repeatedly.
Attack Vector
The attack is conducted over the network and requires the attacker to have high-level privileges on the target MySQL Server. The attacker sends specially crafted SQL queries that exploit the optimizer's resource handling weakness. Since no user interaction is required and the attack complexity is low, a privileged attacker can reliably trigger the denial of service condition.
The attack does not require any special conditions beyond network access and appropriate privileges, making it straightforward for attackers who have already gained administrative or elevated access to the MySQL instance.
Detection Methods for CVE-2026-21998
Indicators of Compromise
- Unusual patterns of MySQL Server crashes or hangs correlating with specific query executions
- Excessive CPU or memory consumption by the mysqld process without corresponding legitimate workload increases
- Error logs showing repeated optimizer-related failures or resource exhaustion warnings
- Abnormal query patterns from high-privileged accounts that deviate from baseline behavior
Detection Strategies
- Monitor MySQL error logs for optimizer-related crashes, hangs, or resource exhaustion messages
- Implement query logging and analysis to identify unusual or potentially malicious query patterns from privileged users
- Deploy database activity monitoring (DAM) solutions to track and alert on anomalous administrative queries
- Use SentinelOne Singularity to monitor for process anomalies and resource exhaustion patterns on database servers
Monitoring Recommendations
- Enable MySQL's Performance Schema and sys schema to track query execution metrics and resource usage
- Set up alerts for MySQL Server availability and automatic restart events
- Monitor privileged user account activity and implement session logging for administrative connections
- Establish baseline resource consumption metrics and configure threshold-based alerting for deviations
How to Mitigate CVE-2026-21998
Immediate Actions Required
- Upgrade MySQL Server to the latest patched version as identified in Oracle's April 2026 Critical Patch Update
- Review and audit all high-privileged MySQL accounts to ensure least privilege principles are enforced
- Implement network segmentation to restrict MySQL Server access to authorized hosts only
- Enable query timeout limits using max_execution_time to prevent long-running queries from consuming excessive resources
Patch Information
Oracle has released patches for this vulnerability as part of the Oracle Security Alert April 2026. Organizations should apply the appropriate patches for their MySQL Server version:
- MySQL Server 8.0.x: Upgrade to version 8.0.46 or later
- MySQL Server 8.4.x: Upgrade to version 8.4.9 or later
- MySQL Server 9.x: Upgrade to version 9.6.1 or later
Review the official Oracle security advisory for detailed patch instructions and download links.
Workarounds
- Restrict network access to MySQL Server using firewall rules to limit exposure to trusted networks only
- Implement strict privilege management by reviewing and reducing the number of accounts with high-level privileges
- Configure resource limits using MySQL's resource group feature to constrain resource consumption per session
- Enable connection rate limiting and implement IP-based access controls through MySQL's host-based authentication
# Configuration example - Implement query timeout and resource limits
# Add to my.cnf or my.ini configuration file
[mysqld]
# Set maximum query execution time (in milliseconds)
max_execution_time=30000
# Limit connections per user to reduce impact of compromised accounts
max_user_connections=50
# Enable slow query log to identify problematic queries
slow_query_log=1
slow_query_log_file=/var/log/mysql/slow-query.log
long_query_time=10
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
