CVE-2026-35236 Overview
A vulnerability has been identified in the MySQL Server product of Oracle MySQL, specifically within the InnoDB storage engine component. This flaw allows a high-privileged attacker with network access to compromise the MySQL Server through multiple protocols. The vulnerability is classified as easily exploitable and can result in a complete denial of service (DoS) condition, causing the MySQL Server to hang or repeatedly crash.
Critical Impact
Successful exploitation enables attackers to cause complete service disruption of MySQL Server instances, resulting in database unavailability and potential business operations impact.
Affected Products
- Oracle MySQL Server versions 8.0.0 through 8.0.45
- Oracle MySQL Server versions 8.4.0 through 8.4.8
- Oracle MySQL Server versions 9.0.0 through 9.6.0
Discovery Timeline
- April 21, 2026 - CVE-2026-35236 published to NVD
- April 23, 2026 - Last updated in NVD database
Technical Details for CVE-2026-35236
Vulnerability Analysis
This vulnerability resides in the InnoDB storage engine, which is the default and most commonly used storage engine in MySQL for transactional database operations. The flaw stems from improper access control (CWE-284) within the InnoDB component, allowing authenticated administrators to trigger conditions that destabilize the database server.
The attack requires network access and can be executed through multiple MySQL protocols. While the vulnerability requires high privileges to exploit, once executed, it can completely disrupt database availability. The scope is limited to the vulnerable component without impacting other system resources, and only availability is affected—confidentiality and integrity remain intact.
Root Cause
The root cause is classified under CWE-284 (Improper Access Control). The InnoDB storage engine fails to properly validate or restrict certain privileged operations, allowing authenticated high-privileged users to execute actions that lead to resource exhaustion or crash conditions within the database server.
Attack Vector
The attack leverages network connectivity to the MySQL Server through standard MySQL protocols. An attacker with administrative privileges can send specially crafted requests to the InnoDB component that trigger either a server hang or a repeatable crash condition. The attack requires no user interaction and can be automated once an attacker has obtained the necessary credentials.
The vulnerability is network-accessible with low attack complexity, though it does require high privileges (typically administrative access to the MySQL instance). This limits the attack surface to scenarios where administrative credentials have been compromised or where malicious insiders have elevated database access.
Detection Methods for CVE-2026-35236
Indicators of Compromise
- Unexpected MySQL Server crashes or restarts, particularly those associated with InnoDB operations
- Repeated server hangs occurring during database transactions without apparent cause
- Unusual patterns of administrative queries targeting InnoDB-specific functionality
- Error logs indicating InnoDB assertion failures or resource exhaustion conditions
Detection Strategies
- Monitor MySQL error logs for InnoDB-related crash signatures and assertion failures
- Implement database activity monitoring (DAM) to track administrative queries and privileged operations
- Deploy anomaly detection for unusual patterns in MySQL connection behavior from administrative accounts
- Configure alerts for MySQL service availability interruptions and automatic restart events
Monitoring Recommendations
- Enable MySQL General Query Log or Audit Plugin to capture administrative operations for forensic analysis
- Set up real-time monitoring of MySQL Server uptime and availability metrics
- Configure automated alerting for service disruptions exceeding expected maintenance windows
- Implement baseline monitoring for InnoDB performance metrics to detect degradation patterns
How to Mitigate CVE-2026-35236
Immediate Actions Required
- Verify current MySQL Server version against affected version ranges (8.0.0-8.0.45, 8.4.0-8.4.8, 9.0.0-9.6.0)
- Review and restrict administrative access to MySQL Server instances to essential personnel only
- Implement network segmentation to limit direct access to MySQL Server ports
- Enable comprehensive logging to capture any exploitation attempts during the vulnerability window
Patch Information
Oracle has released security patches addressing this vulnerability as part of the April 2026 Critical Patch Update. Organizations should upgrade to patched versions of MySQL Server as specified in the Oracle Security Advisory.
For MySQL Server 8.0.x deployments, upgrade to version 8.0.46 or later. For MySQL Server 8.4.x deployments, upgrade to version 8.4.9 or later. For MySQL Server 9.x deployments, upgrade to version 9.6.1 or later as specified in Oracle's security bulletin.
Workarounds
- Implement strict network access controls to limit MySQL Server connectivity to trusted IP ranges only
- Enforce multi-factor authentication for all administrative database accounts
- Apply principle of least privilege by reviewing and reducing unnecessary administrative account grants
- Consider implementing connection rate limiting for administrative operations as an additional layer of protection
# Example: Restrict MySQL administrative access to specific IP ranges
# Add to MySQL configuration (my.cnf or my.ini)
[mysqld]
bind-address = 127.0.0.1 # Bind to localhost only if external access not required
# For firewall-based restrictions (iptables example)
iptables -A INPUT -p tcp --dport 3306 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
