CVE-2026-35234: Oracle MySQL Server DoS Vulnerability

CVE-2026-35234 Overview

CVE-2026-35234 is a denial of service vulnerability in the Oracle MySQL Server Server: Partition component. Affected versions span MySQL Server 9.0.0 through 9.6.0. The flaw allows a high-privileged attacker with network access via multiple protocols to compromise availability of the MySQL Server. Successful exploitation results in a hang or frequently repeatable crash, producing a complete denial of service of the database instance. The issue is categorized under [CWE-284] Improper Access Control and was disclosed as part of the Oracle Critical Patch Update advisory cycle.

Critical Impact

An authenticated attacker can trigger a repeatable crash or hang of the MySQL Server process, producing complete denial of service for all connected applications and dependent services.

Affected Products

• Oracle MySQL Server 9.0.0
• Oracle MySQL Server versions 9.1.0 through 9.5.0
• Oracle MySQL Server 9.6.0

Discovery Timeline

• 2026-04-21 - CVE-2026-35234 published to the National Vulnerability Database
• 2026-04-23 - CVE-2026-35234 last updated in NVD

Technical Details for CVE-2026-35234

Vulnerability Analysis

The vulnerability resides in the partitioning subsystem of Oracle MySQL Server. The Server: Partition component manages table partitioning operations, including range, list, hash, and key partitioning across storage engines. An authenticated user with elevated database privileges can issue specific operations that cause the server process to hang or crash. The vulnerability is network-reachable across multiple MySQL protocols, including the classic MySQL client protocol and the X Protocol. Confidentiality and integrity are not impacted, but availability is fully compromised because the entire mysqld process becomes unresponsive.

Root Cause

Oracle classifies this issue under [CWE-284] Improper Access Control. The partition handling logic does not enforce sufficient constraints on operations issued by high-privileged sessions, allowing crafted partition-related statements to drive the server into a fault condition. Oracle has not released technical details of the specific code path beyond the advisory in the Critical Patch Update.

Attack Vector

Exploitation requires valid authentication with high privileges on the target MySQL Server. The attacker connects over the network using a supported MySQL protocol and issues partition-related operations that trigger the defect. No user interaction is required, and exploit complexity is low. The vulnerability is therefore most relevant in environments where database administrator credentials are shared, where service accounts have excessive privileges, or where an attacker has already compromised a privileged account through another vector. The current EPSS probability is 0.04%, and no public exploit code is known.

No verified proof-of-concept code is available. Refer to the Oracle Critical Patch Update April 2026 advisory for vendor guidance.

Detection Methods for CVE-2026-35234

Indicators of Compromise

• Unexpected mysqld process crashes or restarts followed by entries in the MySQL error log referencing partition handlers or signal handlers.
• Repeated client disconnection errors and connection storms after a high-privileged session executes partition DDL or DML statements.
• Sudden spikes in Aborted_connects and Connection_errors_internal status counters correlated with administrative sessions.

Detection Strategies

• Audit MySQL general query and audit logs for partition-related statements such as ALTER TABLE ... PARTITION, REORGANIZE PARTITION, and EXCHANGE PARTITION issued by privileged accounts.
• Correlate database service restarts with preceding statements executed by accounts holding SUPER, ALTER, or PROCESS privileges.
• Baseline normal partition maintenance windows and alert on out-of-band partition operations from non-DBA sessions.

Monitoring Recommendations

• Forward MySQL error logs, audit logs, and host process telemetry to a centralized SIEM for correlation and retention.
• Monitor mysqld availability with synthetic transactions that detect hangs in addition to outright crashes.
• Track privileged account usage and alert on partition operations executed outside approved change windows.

How to Mitigate CVE-2026-35234

Immediate Actions Required

• Apply the fixes from the Oracle Critical Patch Update April 2026 to all MySQL Server 9.0.0 through 9.6.0 instances.
• Inventory all MySQL Server 9.x deployments, including embedded and developer instances, and prioritize internet-reachable or business-critical systems.
• Review and reduce the population of accounts holding high privileges such as SUPER, ALTER, and global CREATE rights.

Patch Information

Oracle addressed CVE-2026-35234 in the April 2026 Critical Patch Update. Administrators should upgrade to the fixed MySQL Server release identified in the Oracle advisory and follow Oracle's standard upgrade procedures, including binary log compatibility checks and replication topology validation. Refer to the Oracle Critical Patch Update Advisory for the specific patched version mapping.

Workarounds

• Restrict network access to MySQL Server ports 3306 and 33060 so only trusted application hosts and administrative jump servers can connect.
• Enforce least privilege by revoking partition-related and administrative privileges from accounts that do not require them.
• Require multi-factor authentication and session recording for any account that retains the privileges needed to exploit this vulnerability.

# Example: revoke unnecessary high privileges and restrict access
REVOKE ALTER, SUPER ON *.* FROM 'app_user'@'%';
FLUSH PRIVILEGES;

# Restrict MySQL network exposure with host firewall (Linux example)
iptables -A INPUT -p tcp --dport 3306 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP
iptables -A INPUT -p tcp --dport 33060 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 33060 -j DROP