Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Unauthenticated network-reachable TLS listener (AV:N/AC:L/PR:N/UI:N), no user interaction, availability-only crash/hang of Router process with no scope change and no C/I impact.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the MySQL Router product of Oracle MySQL (component: Router: General). Supported versions that are affected are 8.4.0-8.4.9 and 9.0.0-9.7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise MySQL Router. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Router. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
AnalysisAI
Denial of service in Oracle MySQL Router 8.4.0-8.4.9 and 9.0.0-9.7.0 allows unauthenticated remote attackers to hang or repeatedly crash the routing service over TLS-enabled network connections, producing a complete DOS of the affected component. CVSS 3.1 scores this 7.5 with availability-only impact, and no public exploit identified at time of analysis. Because MySQL Router brokers application traffic to InnoDB Cluster/ReplicaSet backends, an outage cascades into downstream application unavailability even when the database servers themselves remain healthy.
Technical ContextAI
MySQL Router is Oracle's lightweight middleware that transparently routes client connections to MySQL InnoDB Cluster, InnoDB ClusterSet, or ReplicaSet topologies, and is typically deployed alongside applications or as a sidecar in front of a Group Replication backend. The vulnerable component is identified by Oracle as 'Router: General' and the CPE cpe:2.3:a:oracle_corporation:mysql_router:*:*:*:*:*:*:*:*, reachable via TLS - meaning the bug is triggered through Router's TLS-enabled client listener rather than the backend MySQL protocol layer. No CWE was assigned in the input, but a CVSS profile of AV:N/AC:L/PR:N/UI:N with A:H only is characteristic of an unauthenticated pre-handshake or early-protocol parsing flaw (for example, a malformed TLS/handshake state or connection-handling defect) that crashes or hangs the Router process without affecting data confidentiality or integrity.
RemediationAI
Patch available per vendor advisory - apply the fixed MySQL Router builds shipped in Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html); an exact post-9.7.0 fixed version is not independently confirmed in the input data, so consult the CPU matrix for the precise build number for your branch (8.4.x or 9.x). Where immediate patching is not possible, restrict network reachability of the Router listener (typically tcp/6446 for read-write and tcp/6447 for read-only, plus the X Protocol ports 6448/6449) to known application subnets via host or perimeter firewalls, and front Router with a TCP-aware load balancer or service mesh that can rate-limit connection floods and terminate malformed TLS sessions before they reach Router. As a last resort, run Router in a supervised process manager (systemd Restart=always, Kubernetes liveness probes) so that crash-induced outages are bounded by restart time; this does not prevent the DOS but mitigates duration at the cost of reconnect storms on the backend cluster.
More in Mysql Router
View allSame weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37355