CVE-2026-35240 Overview
CVE-2026-35240 is a Denial of Service vulnerability in the MySQL Server product of Oracle MySQL, specifically within the Server: Optimizer component. This vulnerability allows a high-privileged attacker with network access to cause a complete denial of service by triggering a hang or frequently repeatable crash of the MySQL Server.
Critical Impact
Successful exploitation enables attackers with administrative privileges to completely disrupt database availability, causing service outages that can impact dependent applications and business operations.
Affected Products
- Oracle MySQL Server 8.0.0 through 8.0.45
- Oracle MySQL Server 8.4.0 through 8.4.8
- Oracle MySQL Server 9.0.0 through 9.6.0
Discovery Timeline
- 2026-04-21 - CVE-2026-35240 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-35240
Vulnerability Analysis
This vulnerability resides in the Query Optimizer component of MySQL Server, which is responsible for determining the most efficient execution plan for SQL queries. The flaw is classified under CWE-284 (Improper Access Control), indicating that the vulnerability stems from insufficient restrictions on actions that can be performed by authenticated users with elevated privileges.
The attack can be executed remotely over multiple network protocols supported by MySQL, and exploitation is considered relatively straightforward once an attacker has obtained high-privilege access to the database server. While the vulnerability requires elevated privileges, the impact is severe as it enables complete service disruption.
Root Cause
The vulnerability originates from improper handling within the Optimizer component when processing certain query patterns. When specific conditions are met during query optimization, the server enters a state that results in either a hang condition or a crash, leading to service unavailability. The improper access control classification suggests that the Optimizer fails to adequately validate or restrict certain operations that can trigger the denial of service condition.
Attack Vector
The attack is network-based and requires the attacker to have authenticated access with high privileges (such as database administrator rights). The exploitation does not require user interaction and can be reliably reproduced once the triggering conditions are identified.
An attacker with elevated MySQL privileges could craft specific SQL queries that trigger the vulnerable code path in the Optimizer component. When these queries are executed, the server process either hangs indefinitely or crashes, requiring manual intervention to restore service. The easily exploitable nature of this vulnerability means that once an attacker identifies the triggering pattern, exploitation can be repeated at will to maintain a denial of service condition.
Detection Methods for CVE-2026-35240
Indicators of Compromise
- Unexpected MySQL Server crashes or restarts without apparent cause
- MySQL error logs showing optimizer-related errors or assertion failures
- Repeated service unavailability correlated with specific query patterns from privileged accounts
- Unusual query activity from administrative accounts targeting database optimization functions
Detection Strategies
- Monitor MySQL error logs for crash dumps and optimizer component errors
- Implement audit logging for all administrative database queries to identify suspicious patterns
- Configure alerting for MySQL service availability and unexpected restarts
- Deploy database activity monitoring solutions to detect anomalous queries from privileged users
Monitoring Recommendations
- Enable MySQL general query log temporarily during investigation periods to capture potential exploit attempts
- Configure process monitoring to alert on MySQL daemon crashes or excessive resource consumption
- Implement database health checks that verify query processing functionality
- Review administrative account access patterns for unusual query volumes or timing
How to Mitigate CVE-2026-35240
Immediate Actions Required
- Review and restrict administrative privileges to only essential personnel
- Implement network segmentation to limit MySQL server access to trusted hosts only
- Enable comprehensive audit logging for all privileged database operations
- Apply the Oracle Critical Patch Update as soon as possible
Patch Information
Oracle has addressed this vulnerability in the April 2026 Critical Patch Update. Organizations should upgrade their MySQL Server installations to patched versions as specified in the Oracle Critical Patch Update Advisory.
For MySQL Server 8.0.x, upgrade to a version newer than 8.0.45. For MySQL Server 8.4.x, upgrade to a version newer than 8.4.8. For MySQL Server 9.x, upgrade to a version newer than 9.6.0.
Workarounds
- Restrict network access to MySQL Server to only trusted administrative hosts using firewall rules
- Implement strict role-based access control to minimize the number of high-privilege accounts
- Enable MySQL Enterprise Firewall (if licensed) to whitelist expected query patterns
- Consider read-only replicas for non-critical operations to reduce primary server attack surface
# Example: Restrict MySQL access to trusted hosts via firewall
iptables -A INPUT -p tcp --dport 3306 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP
# Review privileged users in MySQL
mysql -e "SELECT user, host FROM mysql.user WHERE Super_priv='Y' OR Grant_priv='Y';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
