EUVD-2026-37356Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Oracle confirms unauthenticated network reach over multiple protocols with no user interaction and DoS-only impact, so A:H with C:N/I:N and PR:N/UI:N are appropriate.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the MySQL Server, MySQL Cluster product of Oracle MySQL (component: Server: Connection Handling). Supported versions that are affected are MySQL Server: 8.4.0-8.4.9, 9.0.0-9.7.0; MySQL Cluster: 8.0.11-8.0.46, 8.4.0-8.4.9 and 9.0.0-9.7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server, MySQL Cluster. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server, MySQL Cluster. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
AnalysisAI
Remote unauthenticated denial-of-service in Oracle MySQL Server and MySQL Cluster (8.0.x, 8.4.x, and 9.0.0-9.7.0) allows network attackers to trigger a hang or repeatable crash of the database via the Server Connection Handling component. Oracle rates the issue as easily exploitable over multiple protocols with no authentication or user interaction, producing a complete availability loss (CVSS 7.5, A:H only). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The MySQL Server or MySQL Cluster listener must be reachable by the attacker on at least one of its supported connection-handling protocols (typically TCP 3306 for the classic MySQL protocol, 33060 for X Protocol, or NDB ports 1186 and the data node range for Cluster); Oracle explicitly states 'multiple protocols' are viable vectors. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H is internally consistent with Oracle's 'easily exploitable, unauthenticated, over multiple protocols' wording - meaning any host that can reach the MySQL listener can knock the instance over. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on the same network segment as a MySQL listener - or anywhere on the internet if the port is exposed - sends a crafted packet sequence over the MySQL classic or X protocol during connection establishment, causing mysqld or ndbd to hang or crash. Repeating the request keeps the database offline, taking down every application that depends on it; no credentials, no user interaction, and no prior foothold are required. … |
| Remediation | Apply the fixes shipped in Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html); Oracle did not publish an exact fixed point release in the input data, so consult the CPU matrix for the specific 8.4.x, 9.7.x, and 8.0.x NDB build that supersedes the affected ranges (Patch available per vendor advisory; exact fix version to be confirmed from the CPU). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Conduct inventory of all MySQL deployments, identify systems running versions 8.0.x, 8.4.x, or 9.0.0-9.7.0, and document criticality/dependencies. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today