Skip to main content

MySQL Router CVE-2026-46862

| EUVDEUVD-2026-37355 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-06-16 oracle
7.5
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable TLS listener (AV:N/AC:L/PR:N/UI:N), no user interaction, availability-only crash/hang of Router process with no scope change and no C/I impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:39 vuln.today

DescriptionCVE.org

Vulnerability in the MySQL Router product of Oracle MySQL (component: Router: General). Supported versions that are affected are 8.4.0-8.4.9 and 9.0.0-9.7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise MySQL Router. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Router. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

AnalysisAI

Denial of service in Oracle MySQL Router 8.4.0-8.4.9 and 9.0.0-9.7.0 allows unauthenticated remote attackers to hang or repeatedly crash the routing service over TLS-enabled network connections, producing a complete DOS of the affected component. CVSS 3.1 scores this 7.5 with availability-only impact, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed MySQL Router TLS port
Delivery
Open TLS connection to Router listener
Exploit
Send crafted protocol payload
Execution
Trigger hang or crash in Router process
Persist
Repeat to sustain outage
Impact
Downstream applications lose database connectivity

Vulnerability AssessmentAI

Exploitation The attacker needs only network reachability to a MySQL Router instance's TLS-enabled client port (typically the classic protocol on 6446/6447 or X Protocol on 6448/6449) on a vulnerable 8.4.0-8.4.9 or 9.0.0-9.7.0 build; no authentication, no valid MySQL credentials, and no user interaction are required, consistent with AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H is internally consistent with the description: network-reachable, low-complexity, unauthenticated, no user interaction, availability-only impact, base 7.5. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach a MySQL Router TLS listener - for example, a Router exposed on a shared cloud subnet or fronting a public-facing application - opens a TLS connection and sends a crafted payload that triggers the parsing or state-handling defect, causing the Router process to hang or crash and severing all routed application connections to the backend MySQL cluster. Repeating the request keeps the Router unavailable, producing a sustained outage of every application that depends on it; no public exploit code was identified at time of analysis, but Oracle's 'easily exploitable' rating implies the trigger is straightforward once the vulnerable code path is identified.
Remediation Patch available per vendor advisory - apply the fixed MySQL Router builds shipped in Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html); an exact post-9.7.0 fixed version is not independently confirmed in the input data, so consult the CPU matrix for the precise build number for your branch (8.4.x or 9.x). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all production MySQL Router instances and confirm which versions (8.4.0-8.4.9, 9.0.0-9.7.0) are deployed; activate enhanced monitoring for connection anomalies and service restarts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46862 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy