{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21950", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2026-01-05T18:07:34.712Z", "datePublished": "2026-01-20T21:56:29.652Z", "dateUpdated": "2026-01-21T15:17:33.458Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-01-20T21:56:29.652Z"}, "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server."}]}], "affected": [{"vendor": "Oracle Corporation", "product": "MySQL Server", "versions": [{"version": "9.0.0", "status": "affected", "lessThanOrEqual": "9.5.0", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndIncluding": "9.5.0"}]}]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)."}], "references": [{"url": "https://www.oracle.com/security-alerts/cpujan2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-21T15:16:52.811173Z", "id": "CVE-2026-21950", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-21T15:17:33.458Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21950", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-21T15:16:52.811173Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-21T15:17:26.891Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Oracle Corporation", "product": "MySQL Server", "versions": [{"status": "affected", "version": "9.0.0", "versionType": "custom", "lessThanOrEqual": "9.5.0"}]}], "references": [{"url": "https://www.oracle.com/security-alerts/cpujan2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server."}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "9.5.0", "versionStartIncluding": "9.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-01-20T21:56:29.652Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21950", "state": "PUBLISHED", "dateUpdated": "2026-01-21T15:17:33.458Z", "dateReserved": "2026-01-05T18:07:34.712Z", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "datePublished": "2026-01-20T21:56:29.652Z", "assignerShortName": "oracle"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "80A941A0-B16F-477B-9062-EF768F4CAAD4", "versionEndIncluding": "9.5.0", "versionStartIncluding": "9.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)."}], "id": "CVE-2026-21950", "lastModified": "2026-01-29T15:28:59.573", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "secalert_us@oracle.com", "type": "Secondary"}]}, "published": "2026-01-20T22:15:57.993", "references": [{"source": "secalert_us@oracle.com", "tags": ["Vendor Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2026.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "mysql: Optimizer unspecified vulnerability (CPU Jan 2026)", "id": "2431400", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431400"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "details": ["Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)."], "name": "CVE-2026-21950", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "mysql8.4", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "mysql", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "mysql:8.0/mysql", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "mysql:8.4/mysql", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "mysql", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "mysql:8.4/mysql", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-01-20T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-21950\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-21950\nhttps://www.oracle.com/security-alerts/cpujan2026.html#AppendixMSQL"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Oracle MySQL Critical Patch Update.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-18T15:40:10.197699+00:00", "value": {"mitigation_remediation": ["Install the latest MySQL Server release that contains the Oracle CPU Jan 2026 fix or apply the vendor\u2011supplied patch.", "Restrict inbound traffic to the MySQL port (3306) to trusted hosts or through a VPN and use firewall rules or ACLs to limit exposure.", "Continuously monitor MySQL logs for repeated crashes or hang patterns, and review query activity for signs of resource exhaustion."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Oracle MySQL Server versions 9.0.0 through 9.5.0 are affected; any instance of these versions exposed to network traffic is at risk.", "description_and_impact": "The vulnerability resides in the Optimizer component of Oracle MySQL Server and is a CWE\u2011400 Excessive Resource Consumption flaw. It allows an attacker with low privileges and network access via any supported protocol to provoke uncontrolled resource consumption that causes the server to hang or crash. There is no direct impact on confidentiality or integrity.", "risk_and_exploitability": "The CVSS 3.1 base score of 6.5 highlights a high availability impact, while the EPSS score of 0.00053 indicates a very low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it remotely with only low privileges and multiple protocols, so the risk is moderate for publicly exposed databases."}}}}, "created": "2026-04-18T15:45:04.273977+00:00", "updated": "2026-04-18T15:45:04.273988+00:00", "vendors": []}