CVE-2026-34267 Overview
CVE-2026-34267 is a denial of service vulnerability in the Oracle MySQL Server Optimizer component. The flaw affects supported MySQL Server versions 8.0.0 through 8.0.45. A high-privileged attacker with network access through multiple protocols can exploit this vulnerability to compromise the availability of MySQL Server. Successful exploitation causes a hang or repeatable crash, resulting in a complete denial of service. The vulnerability is tracked under CWE-400: Uncontrolled Resource Consumption. Oracle disclosed the issue in its April 2026 Critical Patch Update.
Critical Impact
Authenticated attackers can crash or hang the MySQL Server instance, causing complete loss of database availability for dependent applications.
Affected Products
- Oracle MySQL Server 8.0.0 through 8.0.45
- Deployments exposing MySQL Server over network protocols
- Applications depending on affected MySQL Server instances
Discovery Timeline
- 2026-04-21 - CVE-2026-34267 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-34267
Vulnerability Analysis
The vulnerability resides in the MySQL Server Optimizer component, which is responsible for query planning and execution path selection. An attacker with high-privileged database access can submit crafted queries that trigger uncontrolled resource consumption within the optimizer logic. The resulting condition causes the server process to hang or crash on a frequently repeatable basis. Because the optimizer participates in every query plan, the failure mode affects the entire server instance rather than a single session. The Common Weakness Enumeration classification is CWE-400: Uncontrolled Resource Consumption.
The attack is reachable over multiple MySQL network protocols, which broadens the exposure footprint. EPSS data places the current exploitation probability at 0.043%.
Root Cause
The root cause is improper handling of resource allocation or termination conditions inside optimizer routines when processing specific query structures. The component fails to enforce sufficient bounds on the resources it commits during plan generation. This allows malformed or pathological inputs from an authenticated session to exhaust capacity or trigger an unrecoverable state.
Attack Vector
Exploitation requires network access to the MySQL Server and a high-privileged account, with no user interaction required. The attacker submits crafted SQL queries that traverse the vulnerable optimizer code path. Repeated execution forces the server into a hang or crash state, denying service to all connected clients. No specific public exploit code or proof of concept is referenced in the advisory.
For technical specifics, consult the Oracle Security Alert April 2026.
Detection Methods for CVE-2026-34267
Indicators of Compromise
- Unexpected MySQL Server process crashes or restarts logged in the mysqld error log
- Server hangs accompanied by abnormally long-running queries from high-privileged accounts
- Repeated reconnection patterns from clients after server unavailability events
Detection Strategies
- Monitor the MySQL error log for signal 11, assertion failures, and abrupt shutdown messages tied to optimizer routines
- Audit privileged account activity for unusual query patterns originating from non-standard hosts or sessions
- Correlate availability monitoring alerts with query telemetry to identify a triggering session before the crash
Monitoring Recommendations
- Enable the MySQL general query log or audit plugin to capture queries executed by privileged accounts
- Track database uptime, connection failures, and process restart counts through infrastructure monitoring
- Forward MySQL logs to a centralized SIEM or data lake for query pattern analysis and historical correlation
How to Mitigate CVE-2026-34267
Immediate Actions Required
- Apply the fixes from the Oracle Critical Patch Update April 2026 to all affected MySQL Server 8.0.x instances
- Inventory all MySQL Server deployments and confirm versions between 8.0.0 and 8.0.45 are scheduled for patching
- Review and reduce the number of accounts holding high-privilege roles on MySQL Server
Patch Information
Oracle addressed CVE-2026-34267 in the April 2026 Critical Patch Update. Administrators should upgrade Oracle MySQL Server to the fixed release identified in the Oracle Security Alert April 2026. Apply the patch in non-production environments first and validate query workloads before promoting changes to production.
Workarounds
- Restrict network access to MySQL Server using firewalls, security groups, or bind-address controls to trusted hosts
- Revoke high-privilege roles such as SUPER, SYSTEM_VARIABLES_ADMIN, or schema-wide DDL grants from accounts that do not require them
- Enforce strong authentication and rotate credentials for any account with administrative database privileges
- Place MySQL Server behind a database proxy or bastion to enable query inspection and rate limiting
# Configuration example: restrict MySQL Server network exposure
# /etc/mysql/mysql.conf.d/mysqld.cnf
[mysqld]
bind-address = 10.0.0.25
skip-name-resolve
# Revoke unnecessary high privileges from an application account
mysql> REVOKE SUPER, SYSTEM_VARIABLES_ADMIN ON *.* FROM 'app_user'@'%';
mysql> FLUSH PRIVILEGES;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
