CVE-2026-35549 Overview
An issue was discovered in MariaDB Server before 11.4.10, 11.5.x through 11.8.x before 11.8.6, and 12.x before 12.2.2. If the caching_sha2_password authentication plugin is installed, and some user accounts are configured to use it, a large packet can crash the server because sha256_crypt_r uses alloca.
Critical Impact
Authenticated attackers can crash MariaDB Server instances by sending large authentication packets, causing denial of service for all database-dependent applications.
Affected Products
- MariaDB Server versions before 11.4.10
- MariaDB Server versions 11.5.x through 11.8.x before 11.8.6
- MariaDB Server versions 12.x before 12.2.2
Discovery Timeline
- 2026-04-03 - CVE CVE-2026-35549 published to NVD
- 2026-04-03 - Last updated in NVD database
Technical Details for CVE-2026-35549
Vulnerability Analysis
This vulnerability is classified under CWE-789 (Memory Allocation with Excessive Size Value). The flaw exists within the caching_sha2_password authentication plugin used by MariaDB Server. When processing authentication requests, the sha256_crypt_r function utilizes alloca() for memory allocation on the stack. The alloca() function allocates memory directly from the stack frame of the calling function, which has limited space compared to heap memory.
When an attacker sends an oversized authentication packet, the alloca() call attempts to allocate an excessive amount of stack memory. This can cause stack overflow or stack exhaustion, leading to an immediate server crash. The vulnerability requires the attacker to have low-level authentication privileges to initiate the authentication handshake with the vulnerable plugin.
Root Cause
The root cause lies in the unsafe use of alloca() within the sha256_crypt_r function. Unlike heap allocation functions like malloc(), alloca() does not perform bounds checking and allocates memory directly on the stack. When processing user-controlled input (the authentication packet size), the function fails to validate the size before allocation, allowing attackers to specify arbitrarily large values that exceed available stack space.
Attack Vector
The attack is network-based and requires low privileges to execute. An attacker must:
- Establish a network connection to the MariaDB Server instance
- Target user accounts configured to use the caching_sha2_password authentication plugin
- Send a crafted authentication packet with an excessively large size value
- The server's sha256_crypt_r function processes the packet and calls alloca() with the oversized value
- Stack exhaustion occurs, causing the server process to crash
The vulnerability does not require user interaction and affects only the availability of the system (no confidentiality or integrity impact). Technical details and tracking information are available in the MariaDB Jira Issue MDEV-38365.
Detection Methods for CVE-2026-35549
Indicators of Compromise
- Unexpected MariaDB server crashes or restarts without clear operational cause
- Large authentication packets in network traffic destined for MariaDB ports (default 3306)
- Error logs indicating stack overflow or segmentation faults during authentication processing
- Repeated authentication attempts from unusual sources targeting accounts using caching_sha2_password
Detection Strategies
- Monitor MariaDB error logs for crash events related to authentication or memory allocation failures
- Implement network-level packet inspection to detect abnormally large authentication packets
- Deploy database activity monitoring to track authentication patterns and anomalies
- Configure alerting for unexpected MariaDB service restarts or crashes
Monitoring Recommendations
- Enable detailed logging for MariaDB authentication events
- Set up real-time monitoring of MariaDB process health and uptime
- Implement network flow analysis for traffic patterns to database servers
- Configure SIEM rules to correlate authentication failures with service interruptions
How to Mitigate CVE-2026-35549
Immediate Actions Required
- Upgrade MariaDB Server to version 11.4.10 or later for the 11.4.x branch
- Upgrade MariaDB Server to version 11.8.6 or later for the 11.5.x through 11.8.x branches
- Upgrade MariaDB Server to version 12.2.2 or later for the 12.x branch
- Review user accounts to identify those using the caching_sha2_password plugin
- Implement network segmentation to restrict database access to trusted hosts only
Patch Information
MariaDB has released patched versions addressing this vulnerability. Administrators should upgrade to the following minimum versions:
- Version 11.4.10 for the 11.4.x series
- Version 11.8.6 for the 11.5.x through 11.8.x series
- Version 12.2.2 for the 12.x series
For detailed patch information and upgrade instructions, refer to the MariaDB Jira Issue MDEV-38365.
Workarounds
- Temporarily disable the caching_sha2_password plugin if not operationally required by uninstalling or removing it from the server configuration
- Migrate affected user accounts to alternative authentication plugins such as mysql_native_password until patching is complete
- Implement firewall rules to limit network access to MariaDB servers from trusted IP addresses only
- Deploy a reverse proxy or connection pooler that validates packet sizes before forwarding to the database server
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
