CVE-2026-35237 Overview
CVE-2026-35237 is a denial of service vulnerability affecting the InnoDB storage engine component of Oracle MySQL Server. This improper access control flaw (CWE-284) allows a high-privileged attacker with network access to cause a complete denial of service condition against MySQL Server instances. The vulnerability is classified as easily exploitable and can be triggered via multiple network protocols, resulting in a hang or frequently repeatable crash of the database server.
Critical Impact
Successful exploitation enables attackers with administrative privileges to completely disrupt MySQL Server availability, causing service outages for all dependent applications and services.
Affected Products
- Oracle MySQL Server 8.0.0 through 8.0.45
- Oracle MySQL Server 8.4.0 through 8.4.8
- Oracle MySQL Server 9.0.0 through 9.6.0
Discovery Timeline
- April 21, 2026 - CVE-2026-35237 published to NVD
- April 23, 2026 - Last updated in NVD database
Technical Details for CVE-2026-35237
Vulnerability Analysis
This vulnerability resides in the InnoDB storage engine, MySQL's default transactional storage engine. The flaw is categorized under CWE-284 (Improper Access Control), indicating that the vulnerability stems from insufficient validation or control mechanisms within the InnoDB component.
The attack requires high privileges but low complexity to execute. An attacker with administrative database credentials can exploit this vulnerability remotely over the network using standard MySQL protocols. The impact is limited to availability—there is no compromise of confidentiality or integrity. However, the availability impact is complete, meaning successful exploitation results in total loss of database service availability.
Root Cause
The root cause stems from improper access control within the InnoDB storage engine component. When certain operations are performed by a privileged user, the engine fails to properly handle the request, leading to resource exhaustion or an unrecoverable error state that causes the MySQL Server process to hang or crash.
Attack Vector
The attack is network-based and can be executed via multiple protocols supported by MySQL Server. An attacker requires:
- Valid high-privileged credentials (administrative access) to the MySQL Server
- Network connectivity to the target MySQL instance
- Ability to execute specific operations that trigger the vulnerable code path in InnoDB
The vulnerability does not require user interaction and affects only the vulnerable system (unchanged scope). While the attack requires elevated privileges, organizations with compromised administrative credentials or malicious insiders are at risk.
Detection Methods for CVE-2026-35237
Indicators of Compromise
- Unexpected MySQL Server crashes or hangs, particularly when administrative operations are performed
- Repeated crash recovery events in MySQL error logs related to InnoDB operations
- Unusual connection patterns from privileged accounts followed by service interruptions
- InnoDB-specific error messages in logs preceding server unresponsiveness
Detection Strategies
- Monitor MySQL error logs for crash patterns and InnoDB-related errors using SIEM integration
- Configure alerting on MySQL Server process terminations or restarts outside maintenance windows
- Implement database activity monitoring (DAM) to track privileged user operations
- Set up health checks that detect prolonged query hangs or connection timeouts
Monitoring Recommendations
- Enable MySQL Server crash dumps and error logging for forensic analysis
- Deploy real-time monitoring of MySQL availability and response times
- Track authentication events for privileged accounts and correlate with service disruptions
- Monitor system resources (CPU, memory) for anomalies preceding crashes
How to Mitigate CVE-2026-35237
Immediate Actions Required
- Apply the Oracle Critical Patch Update (CPU) for April 2026 immediately
- Review and restrict network access to MySQL Server instances using firewall rules
- Audit accounts with high privileges and enforce principle of least privilege
- Implement strong authentication and credential management for administrative accounts
Patch Information
Oracle has addressed this vulnerability in the April 2026 Critical Patch Update. Administrators should upgrade to patched versions:
- MySQL Server 8.0.46 or later
- MySQL Server 8.4.9 or later
- MySQL Server 9.6.1 or later
For detailed patch information and download links, refer to the Oracle Critical Patch Update April 2026.
Workarounds
- Restrict network access to MySQL Server to trusted hosts and networks only
- Implement database firewall rules to limit administrative operations from specific IP addresses
- Enable MySQL audit logging to detect and investigate suspicious privileged activity
- Consider placing MySQL instances behind a VPN or private network segment
# Example: Restrict MySQL access to trusted hosts via firewall
iptables -A INPUT -p tcp --dport 3306 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP
# Example: Review privileged users in MySQL
mysql -e "SELECT user, host FROM mysql.user WHERE Super_priv='Y' OR Create_user_priv='Y';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
