CVE-2021-2437 in MySQL Server
Summary
by MITRE • 07/21/2021
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 08/17/2025
The vulnerability identified as CVE-2021-2437 represents a critical availability threat within Oracle MySQL Server's optimizer component, specifically affecting versions 8.0.25 and earlier. This weakness resides in the server's query optimization mechanisms where malicious input can trigger unexpected behavior in the database engine's processing logic. The vulnerability's classification as easily exploitable indicates that attackers with high privileges and network access can leverage multiple protocols to target the affected system, making it particularly dangerous in environments where administrative access might be compromised or where network exposure is extensive. The CVSS score of 4.9 reflects the significant impact on system availability, with the vector indicating network accessibility, low attack complexity, high privileges required, and unspecified user interaction within an unscoped environment.
The technical flaw manifests when the MySQL Server's optimizer component encounters specific query patterns that cause it to enter an infinite loop or consume excessive resources during query processing. This occurs within the server's internal optimization algorithms that analyze and plan query execution paths, where malformed or specially crafted queries can trigger memory exhaustion or thread contention issues. The vulnerability's design flaw lies in the insufficient bounds checking and resource management within the optimizer's code path, allowing attackers to construct queries that cause the server to either hang indefinitely or crash repeatedly. This creates a complete denial of service condition where legitimate database operations become impossible while the system remains in a compromised state.
From an operational impact perspective, successful exploitation of CVE-2021-2437 can result in complete service disruption for database-dependent applications, potentially affecting business continuity and data availability. Organizations relying on MySQL for critical operations face significant risk as the vulnerability can be triggered through various network protocols including TCP/IP connections, Unix domain sockets, and named pipes, providing multiple attack vectors for determined adversaries. The vulnerability's potential for causing frequently repeatable crashes means that even a single successful attack can render the database server unusable until manual intervention occurs, requiring system administrators to restart services and potentially restore from backups. This type of vulnerability directly impacts the availability aspect of the CIA triad and can be classified under CWE-400 as "Uncontrolled Resource Consumption" with potential ATT&CK framework mappings to T1499.100 (Network Denial of Service) and T1566.001 (Phishing).
The mitigation strategy for this vulnerability requires immediate patching of affected MySQL Server installations to version 8.0.26 or later, where Oracle has addressed the optimizer resource management issues. Organizations should also implement network segmentation and access controls to limit privileged network access to database servers, reducing the attack surface for potential exploitation. Additional defensive measures include monitoring for unusual query patterns and implementing resource limits on database connections to prevent exploitation attempts from exhausting system resources. Security teams should also consider implementing database activity monitoring tools that can detect and alert on potentially malicious query patterns that might trigger the vulnerability. Regular security assessments and vulnerability scanning should be conducted to identify other potential entry points and ensure comprehensive protection against similar threats in the database infrastructure.