Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Unauthenticated network-reachable TLS listener (AV:N/AC:L/PR:N/UI:N), no user interaction, availability-only crash/hang of Router process with no scope change and no C/I impact.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the MySQL Router product of Oracle MySQL (component: Router: General). Supported versions that are affected are 8.4.0-8.4.9 and 9.0.0-9.7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise MySQL Router. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Router. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
AnalysisAI
Denial of service in Oracle MySQL Router 8.4.0-8.4.9 and 9.0.0-9.7.0 allows unauthenticated remote attackers to hang or repeatedly crash the routing service over TLS-enabled network connections, producing a complete DOS of the affected component. CVSS 3.1 scores this 7.5 with availability-only impact, and no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker needs only network reachability to a MySQL Router instance's TLS-enabled client port (typically the classic protocol on 6446/6447 or X Protocol on 6448/6449) on a vulnerable 8.4.0-8.4.9 or 9.0.0-9.7.0 build; no authentication, no valid MySQL credentials, and no user interaction are required, consistent with AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H is internally consistent with the description: network-reachable, low-complexity, unauthenticated, no user interaction, availability-only impact, base 7.5. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach a MySQL Router TLS listener - for example, a Router exposed on a shared cloud subnet or fronting a public-facing application - opens a TLS connection and sends a crafted payload that triggers the parsing or state-handling defect, causing the Router process to hang or crash and severing all routed application connections to the backend MySQL cluster. Repeating the request keeps the Router unavailable, producing a sustained outage of every application that depends on it; no public exploit code was identified at time of analysis, but Oracle's 'easily exploitable' rating implies the trigger is straightforward once the vulnerable code path is identified. |
| Remediation | Patch available per vendor advisory - apply the fixed MySQL Router builds shipped in Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html); an exact post-9.7.0 fixed version is not independently confirmed in the input data, so consult the CPU matrix for the precise build number for your branch (8.4.x or 9.x). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all production MySQL Router instances and confirm which versions (8.4.0-8.4.9, 9.0.0-9.7.0) are deployed; activate enhanced monitoring for connection anomalies and service restarts. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Mysql Router
View allSame weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37355