CVE-2026-34308 Overview
CVE-2026-34308 is a denial-of-service vulnerability in the JSON component of Oracle MySQL Server. The flaw allows a low-privileged attacker with network access to send crafted requests that cause MySQL Server to hang or crash repeatedly. Affected versions include MySQL Server 8.0.0 through 8.0.45, 8.4.0 through 8.4.8, and 9.0.0 through 9.6.0. The vulnerability is tracked under [CWE-400] (Uncontrolled Resource Consumption) and was addressed in the Oracle Critical Patch Update of April 2026.
Critical Impact
A low-privileged authenticated attacker can trigger a complete denial of service against MySQL Server over the network, disrupting database availability for all dependent applications.
Affected Products
- Oracle MySQL Server versions 8.0.0 to 8.0.45
- Oracle MySQL Server versions 8.4.0 to 8.4.8
- Oracle MySQL Server versions 9.0.0 to 9.6.0
Discovery Timeline
- 2026-04-21 - CVE-2026-34308 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-34308
Vulnerability Analysis
The vulnerability resides in the JSON processing component of MySQL Server. An authenticated attacker with low privileges can submit specially crafted input that exhausts server resources or triggers an unhandled error condition. The result is either a hang or a repeatable crash, producing a complete denial of service.
The issue impacts availability only. Confidentiality and integrity are not affected, meaning data is not exposed or modified through this flaw. However, sustained exploitation disrupts every application that depends on the affected database instance. The EPSS probability stands at 0.04% as of 2026-05-14, indicating low observed exploitation activity at this time.
Root Cause
The underlying weakness maps to [CWE-400], Uncontrolled Resource Consumption. The MySQL JSON subsystem fails to enforce sufficient limits when parsing or evaluating attacker-supplied JSON structures. Crafted payloads consume CPU, memory, or internal handlers until the server becomes unresponsive or terminates unexpectedly.
Attack Vector
Exploitation requires network access via one of MySQL Server's supported protocols and a valid low-privileged account. No user interaction is needed, and attack complexity is low. The attacker submits a malicious JSON query or value against an affected server. Because privilege requirements are minimal, any compromised or rogue database user can launch the attack. Detailed technical specifics are restricted to Oracle's advisory. See the Oracle Critical Patch Update Advisory - April 2026 for vendor-supplied details.
Detection Methods for CVE-2026-34308
Indicators of Compromise
- Unexpected MySQL Server process crashes or restarts logged in mysqld.err or systemd journal entries referencing the JSON subsystem.
- Sudden spikes in CPU or memory usage on the mysqld process correlated with incoming queries containing JSON functions or operators.
- Repeated client connections from the same authenticated account immediately preceding server hangs.
Detection Strategies
- Monitor MySQL general query logs and audit logs for repeated execution of JSON functions such as JSON_TABLE, JSON_EXTRACT, or JSON_SEARCH from a single low-privileged account.
- Correlate database availability events with query patterns to identify attacker probing.
- Track failed health checks from application tiers that point to specific MySQL instances becoming unresponsive.
Monitoring Recommendations
- Enable the MySQL Enterprise Audit plugin or equivalent logging to capture statement-level activity for JSON queries.
- Forward MySQL error and audit logs to a centralized SIEM for correlation across the database fleet.
- Configure alerts for mysqld restart events and abnormal connection churn from non-administrative accounts.
How to Mitigate CVE-2026-34308
Immediate Actions Required
- Apply the April 2026 Oracle Critical Patch Update to all MySQL Server instances running affected versions.
- Inventory all MySQL Server deployments to confirm version coverage across 8.0.x, 8.4.x, and 9.x branches.
- Restrict database user accounts to the minimum required privileges and remove unused accounts.
Patch Information
Oracle released the fix as part of the April 2026 Critical Patch Update. Administrators should upgrade to versions later than 8.0.45, 8.4.8, or 9.6.0 according to their deployed branch. Refer to the Oracle Critical Patch Update Advisory - April 2026 for exact fixed versions and download instructions.
Workarounds
- Limit network exposure of MySQL Server to trusted application hosts using firewall rules or security groups.
- Enforce strong authentication and rotate credentials for all database accounts.
- Apply per-user resource limits such as MAX_USER_CONNECTIONS, MAX_QUERIES_PER_HOUR, and connection timeouts to constrain abusive sessions.
# Example: apply per-account resource limits to reduce DoS surface
mysql -u root -p -e "ALTER USER 'app_user'@'%' \
WITH MAX_USER_CONNECTIONS 20 \
MAX_QUERIES_PER_HOUR 5000;"
# Restrict network access at the firewall layer (Linux example)
sudo iptables -A INPUT -p tcp --dport 3306 \
-s 10.0.0.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 3306 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
