Skip to main content

MySQL Router EUVDEUVD-2026-37355

| CVE-2026-46862 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-06-16 oracle
7.5
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable TLS listener (AV:N/AC:L/PR:N/UI:N), no user interaction, availability-only crash/hang of Router process with no scope change and no C/I impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:39 vuln.today

DescriptionCVE.org

Vulnerability in the MySQL Router product of Oracle MySQL (component: Router: General). Supported versions that are affected are 8.4.0-8.4.9 and 9.0.0-9.7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise MySQL Router. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Router. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

AnalysisAI

Denial of service in Oracle MySQL Router 8.4.0-8.4.9 and 9.0.0-9.7.0 allows unauthenticated remote attackers to hang or repeatedly crash the routing service over TLS-enabled network connections, producing a complete DOS of the affected component. CVSS 3.1 scores this 7.5 with availability-only impact, and no public exploit identified at time of analysis. Because MySQL Router brokers application traffic to InnoDB Cluster/ReplicaSet backends, an outage cascades into downstream application unavailability even when the database servers themselves remain healthy.

Technical ContextAI

MySQL Router is Oracle's lightweight middleware that transparently routes client connections to MySQL InnoDB Cluster, InnoDB ClusterSet, or ReplicaSet topologies, and is typically deployed alongside applications or as a sidecar in front of a Group Replication backend. The vulnerable component is identified by Oracle as 'Router: General' and the CPE cpe:2.3:a:oracle_corporation:mysql_router:*:*:*:*:*:*:*:*, reachable via TLS - meaning the bug is triggered through Router's TLS-enabled client listener rather than the backend MySQL protocol layer. No CWE was assigned in the input, but a CVSS profile of AV:N/AC:L/PR:N/UI:N with A:H only is characteristic of an unauthenticated pre-handshake or early-protocol parsing flaw (for example, a malformed TLS/handshake state or connection-handling defect) that crashes or hangs the Router process without affecting data confidentiality or integrity.

RemediationAI

Patch available per vendor advisory - apply the fixed MySQL Router builds shipped in Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html); an exact post-9.7.0 fixed version is not independently confirmed in the input data, so consult the CPU matrix for the precise build number for your branch (8.4.x or 9.x). Where immediate patching is not possible, restrict network reachability of the Router listener (typically tcp/6446 for read-write and tcp/6447 for read-only, plus the X Protocol ports 6448/6449) to known application subnets via host or perimeter firewalls, and front Router with a TCP-aware load balancer or service mesh that can rate-limit connection floods and terminate malformed TLS sessions before they reach Router. As a last resort, run Router in a supervised process manager (systemd Restart=always, Kubernetes liveness probes) so that crash-induced outages are bounded by restart time; this does not prevent the DOS but mitigates duration at the cost of reconnect storms on the backend cluster.

Share

EUVD-2026-37355 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy