CVE-2026-46863 Overview
CVE-2026-46863 is a denial-of-service vulnerability in the Connection Handling component of Oracle MySQL Server and MySQL Cluster. An unauthenticated remote attacker can exploit the flaw over the network using multiple protocols. Successful exploitation results in a hang or repeatable crash, producing a complete denial of service.
Affected versions include MySQL Server 8.4.0-8.4.9 and 9.0.0-9.7.0, plus MySQL Cluster 8.0.11-8.0.46, 8.4.0-8.4.9, and 9.0.0-9.7.0. The weakness maps to [CWE-400] Uncontrolled Resource Consumption.
Critical Impact
Unauthenticated attackers can crash or hang MySQL Server and MySQL Cluster instances remotely, taking dependent applications offline.
Affected Products
- Oracle MySQL Server versions 8.4.0 through 8.4.9 and 9.0.0 through 9.7.0
- Oracle MySQL Cluster versions 8.0.11 through 8.0.46 and 8.4.0 through 8.4.9
- Oracle MySQL Cluster versions 9.0.0 through 9.7.0
Discovery Timeline
- 2026-06-17 - CVE-2026-46863 published to the National Vulnerability Database
- 2026-06-17 - Oracle released the June 2026 Critical Patch Update Security Alert
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-46863
Vulnerability Analysis
The vulnerability resides in the MySQL Server Connection Handling component. The flaw is classified as [CWE-400] Uncontrolled Resource Consumption. An attacker reaches the vulnerable code path over the network without authentication or user interaction.
Oracle describes the vulnerability as easily exploitable. Successful exploitation impacts availability only — confidentiality and integrity are not affected. The result is a hang or frequently repeatable crash that produces a complete denial of service for the database service.
MySQL Cluster deployments inherit the same risk because they share the Connection Handling code path. An EPSS score places exploitation probability in the lower percentile range, but the lack of authentication requirements lowers the practical barrier for opportunistic attacks.
Root Cause
The root cause is improper handling of incoming connection requests in the MySQL Server connection layer. The component fails to bound resource consumption when processing certain network inputs. This allows malformed or abusive traffic to exhaust resources or trigger a fatal condition, producing the hang or crash behavior Oracle documented.
Attack Vector
The attack vector is network-based. An attacker sends crafted traffic to the MySQL listener using one of the supported protocols. No credentials, no prior session, and no user interaction are required. Internet-exposed MySQL instances and MySQL Cluster management nodes are the primary exposure points.
No verified public proof-of-concept code is available. See the Oracle Security Alert June 2026 for vendor technical details.
Detection Methods for CVE-2026-46863
Indicators of Compromise
- Unexpected mysqld process crashes or restarts recorded in system logs and MySQL error logs
- Sudden spikes in connection attempts from a single source followed by service unavailability
- Repeated client disconnects, aborted connections, or Too many connections errors preceding a crash
- MySQL Cluster data nodes losing quorum or management nodes restarting without administrator action
Detection Strategies
- Monitor the MySQL error log for abnormal termination messages and signal-handler stack traces
- Correlate network flow telemetry to the MySQL port (default 3306) with subsequent service restarts
- Track the Aborted_connects and Connection_errors_* status variables for anomalous growth
- Alert on process exit codes from mysqld and on systemd unit restart counters exceeding baseline
Monitoring Recommendations
- Forward MySQL error logs, audit logs, and host process telemetry to a centralized analytics platform
- Baseline normal connection volume per source IP and alert on deviations against the MySQL listener
- Watch for repeated TCP resets or half-open connections targeting 3306 and Cluster management ports
How to Mitigate CVE-2026-46863
Immediate Actions Required
- Apply the Oracle Critical Patch Update released in the Oracle Security Alert June 2026
- Inventory all MySQL Server and MySQL Cluster instances against the affected version ranges
- Restrict network exposure of MySQL listeners to trusted application tiers and management networks
- Enable automatic service recovery so crashed mysqld processes restart while patching proceeds
Patch Information
Oracle addressed CVE-2026-46863 in the June 2026 Critical Patch Update. Upgrade MySQL Server beyond version 9.7.0 and beyond 8.4.9 per Oracle guidance. Upgrade MySQL Cluster beyond 8.0.46, 8.4.9, and 9.7.0 for the respective branches. Refer to the Oracle Security Alert June 2026 for the exact fixed builds.
Workarounds
- Place MySQL behind a firewall or security group that permits only known application sources
- Use a connection proxy such as ProxySQL or MySQL Router to rate-limit and filter inbound traffic
- Disable network protocols that are not required and bind mysqld to internal interfaces only
- Configure max_connections and per-host connection limits to reduce resource starvation impact
# Configuration example: restrict MySQL bind address and limit connections
# /etc/mysql/mysql.conf.d/mysqld.cnf
[mysqld]
bind-address = 10.0.0.10
max_connections = 200
max_user_connections = 50
max_connect_errors = 10
# Host firewall example (iptables) - allow only the app subnet
iptables -A INPUT -p tcp --dport 3306 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
