CVE-2026-34304 Overview
CVE-2026-34304 is a denial-of-service vulnerability in the InnoDB storage engine of Oracle MySQL Server. The flaw allows a high-privileged attacker with network access to cause a hang or repeatable crash of the MySQL Server process. Exploitation results in complete loss of database availability without compromising data confidentiality or integrity.
The vulnerability affects Oracle MySQL Server versions 8.0.0-8.0.45, 8.4.0-8.4.8, and 9.0.0-9.6.0. It is classified under [CWE-400] Uncontrolled Resource Consumption. Oracle disclosed the issue in the April 2026 Critical Patch Update.
Critical Impact
Successful exploitation produces a complete denial of service against MySQL Server, disrupting any application or service dependent on the affected database instance.
Affected Products
- Oracle MySQL Server 8.0.0 through 8.0.45
- Oracle MySQL Server 8.4.0 through 8.4.8
- Oracle MySQL Server 9.0.0 through 9.6.0
Discovery Timeline
- 2026-04-21 - CVE-2026-34304 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-34304
Vulnerability Analysis
The vulnerability resides in the InnoDB storage engine, the default transactional engine for MySQL. An authenticated attacker holding high privileges can send crafted requests over the network using multiple supported MySQL protocols. The malicious input triggers uncontrolled resource consumption in InnoDB, leading to a server hang or repeatable crash.
The issue impacts availability only. Attackers cannot read, modify, or exfiltrate data through this flaw. However, the resulting outage propagates to every application, microservice, or analytics pipeline that depends on the affected database instance.
The attack complexity is low and no user interaction is required. The privilege requirement is the primary barrier to exploitation, limiting attackers to accounts that already hold elevated database permissions. EPSS data places the probability of observed exploitation at a low level as of May 2026.
Root Cause
The root cause is improper handling of resource allocation within InnoDB request processing paths. The engine fails to bound consumption when processing specific input sequences, allowing a privileged client to drive the server into an unrecoverable state. The condition maps to [CWE-400] Uncontrolled Resource Consumption.
Attack Vector
An attacker authenticates to MySQL Server using a high-privilege account, then sends crafted requests over the network. The request can use any of the protocols supported by the MySQL listener. The server processes the input within InnoDB and either hangs indefinitely or crashes in a manner that repeats on restart if the trigger is replayed.
No verified public exploit code is available for this vulnerability. Refer to the Oracle Security Alert April 2026 for vendor technical details.
Detection Methods for CVE-2026-34304
Indicators of Compromise
- Unexpected MySQL Server process termination or repeated mysqld restarts with InnoDB-related stack traces in the error log
- Sudden spikes in InnoDB resource utilization (memory, CPU, or I/O wait) followed by server unresponsiveness
- Repeated authenticated sessions from a single high-privileged account immediately preceding a crash
Detection Strategies
- Correlate MySQL error log entries (/var/log/mysql/error.log or platform equivalent) with authentication events to identify which privileged session preceded a crash
- Monitor for repeating crash signatures in mysqld and alert when the same fault pattern occurs more than once within a short window
- Audit privileged MySQL accounts and flag unusual connections from new source addresses or off-hours sessions
Monitoring Recommendations
- Enable the MySQL audit log plugin and forward events to a centralized logging platform for correlation with network telemetry
- Track availability metrics such as connection success rate, query latency, and InnoDB buffer pool health to detect early signs of hangs
- Alert on rapid succession of mysqld restarts which may indicate an attacker replaying the crash trigger
How to Mitigate CVE-2026-34304
Immediate Actions Required
- Apply the Oracle April 2026 Critical Patch Update to all MySQL Server instances running affected versions
- Inventory MySQL accounts with high privileges (SUPER, PROCESS, RELOAD, schema owners) and remove any that are unnecessary
- Restrict network access to MySQL listeners using firewall rules or security groups so only trusted application hosts can connect
Patch Information
Oracle released fixes as part of the Oracle Security Alert April 2026. Administrators should upgrade to a patched release beyond MySQL 8.0.45, 8.4.8, or 9.6.0 as published in the Critical Patch Update advisory.
Workarounds
- Rotate credentials for high-privileged MySQL accounts and enforce strong authentication, including TLS client certificates where supported
- Place MySQL Server behind a database proxy or bastion host that enforces source-address allowlisting for administrative sessions
- Configure systemd or process supervisors to alert (rather than silently restart) on repeated mysqld crashes so operators can investigate
# Restrict MySQL network exposure and review privileged accounts
# 1. Bind MySQL to a private interface in /etc/mysql/my.cnf
[mysqld]
bind-address = 10.0.0.10
# 2. Enumerate accounts with elevated privileges
mysql -e "SELECT user, host FROM mysql.user \
WHERE Super_priv='Y' OR Process_priv='Y' OR Reload_priv='Y';"
# 3. Verify installed version against the April 2026 CPU
mysql --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
