CVE-2026-21998 Overview
CVE-2026-21998 is a denial-of-service vulnerability in the Oracle MySQL Server Optimizer component. The flaw affects MySQL Server versions 8.0.0-8.0.45, 8.4.0-8.4.8, and 9.0.0-9.6.0. An authenticated attacker with high privileges and network access can trigger a hang or repeatable crash of the MySQL Server process. Exploitation requires no user interaction and can be performed over multiple protocols. The vulnerability maps to CWE-400: Uncontrolled Resource Consumption. Oracle disclosed the issue in the April 2026 Critical Patch Update.
Critical Impact
Successful exploitation results in a complete denial of service of the MySQL Server, disrupting applications that depend on the database.
Affected Products
- Oracle MySQL Server 8.0.0 through 8.0.45
- Oracle MySQL Server 8.4.0 through 8.4.8
- Oracle MySQL Server 9.0.0 through 9.6.0
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-21998 published to NVD
- 2026-04-23 - Last updated in NVD database
- 2026-04 - Oracle releases fix in the April 2026 Critical Patch Update
Technical Details for CVE-2026-21998
Vulnerability Analysis
The vulnerability resides in the Server: Optimizer subsystem of Oracle MySQL Server. The Optimizer is responsible for parsing SQL statements, evaluating execution plans, and selecting the most efficient strategy. A flaw in this processing path allows an authenticated attacker to submit input that drives the server into an unrecoverable state.
The outcome is either a process hang or a frequently repeatable crash, which terminates active sessions and prevents new connections. Because MySQL often underpins web applications, identity services, and business workflows, a sustained outage of the database tier propagates to dependent services. Oracle classifies the impact as availability-only, with no effect on data confidentiality or integrity.
Root Cause
The underlying defect is categorized as uncontrolled resource consumption [CWE-400]. Crafted queries cause the Optimizer to consume resources or reach a faulty state that the server cannot safely recover from. Oracle has not published low-level technical details. Administrators should consult the Oracle Critical Patch Update Advisory - April 2026 for vendor-confirmed information.
Attack Vector
The attack vector is network-based and requires an authenticated session with high privileges. An attacker leveraging an account that can submit queries to the server can repeatedly trigger the condition, resulting in a complete denial of service. Multiple MySQL protocols are viable for delivery. No user interaction is required, and the attack complexity is low once the privileged account is available. The EPSS probability is 0.043%, indicating low observed exploitation likelihood at the time of publication.
Detection Methods for CVE-2026-21998
Indicators of Compromise
- Unexpected mysqld process crashes, restarts, or hangs accompanied by stack traces in error.log.
- Sudden spikes in CPU, memory, or thread counts originating from a single authenticated session.
- Repeated execution of unusual or malformed queries by high-privileged accounts shortly before a crash.
Detection Strategies
- Monitor MySQL error logs for Assertion failed, signal 11, or repeated abnormal termination entries tied to Optimizer code paths.
- Enable the slow query log and general query log to capture queries preceding service degradation.
- Correlate database availability alerts with authentication events for privileged accounts.
Monitoring Recommendations
- Forward MySQL audit and error logs to a centralized SIEM for correlation with authentication telemetry.
- Establish baselines for query latency, connection counts, and mysqld restart frequency to detect deviations.
- Alert on use of administrative accounts from unexpected source IPs or applications.
How to Mitigate CVE-2026-21998
Immediate Actions Required
- Apply the fixes from the April 2026 Oracle Critical Patch Update to all affected MySQL Server instances.
- Audit and reduce the number of accounts holding high privileges such as SUPER, PROCESS, or broad SELECT across system schemas.
- Restrict network exposure of MySQL to trusted application hosts and management subnets.
Patch Information
Oracle has released patched versions through the April 2026 Critical Patch Update. Upgrade Oracle MySQL Server to a release later than 8.0.45, 8.4.8, or 9.6.0 as specified in the Oracle Critical Patch Update Advisory - April 2026. Validate the upgrade in a staging environment before production rollout.
Workarounds
- Revoke unnecessary high-privilege grants and enforce least privilege for application and reporting accounts.
- Place MySQL behind a network firewall or security group that limits access to specific application servers.
- Configure connection rate limits and per-user resource limits (MAX_QUERIES_PER_HOUR, MAX_USER_CONNECTIONS) to reduce abuse potential.
# Restrict privileges and apply per-user resource limits
REVOKE SUPER, PROCESS ON *.* FROM 'app_user'@'%';
ALTER USER 'app_user'@'%' WITH
MAX_QUERIES_PER_HOUR 1000
MAX_USER_CONNECTIONS 10;
FLUSH PRIVILEGES;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

