CVE-2021-35577 in MySQL Server
Summary
by MITRE • 10/20/2021
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via MySQL Protcol to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/17/2025
The vulnerability identified as CVE-2021-35577 represents a critical availability threat within Oracle MySQL Server's optimizer component, affecting versions 8.0.26 and earlier. This flaw exists within the server's query optimization logic and demonstrates how seemingly minor issues in database engine internals can escalate into significant operational disruptions. The vulnerability's classification as easily exploitable indicates that attackers with minimal technical barriers can leverage this weakness, making it particularly concerning for production environments where database availability is paramount. The CVSS score of 4.9 reflects the moderate to high impact on system availability, with the potential to cause complete denial of service conditions that can severely impact business operations.
The technical nature of this vulnerability stems from improper handling within the MySQL Server's optimizer module, specifically when processing certain query execution paths. Attackers with high privileged access and network connectivity via the MySQL protocol can craft malicious queries that trigger memory corruption or resource exhaustion conditions within the optimizer engine. This exploitation pattern typically involves constructing complex SQL statements that force the server into problematic execution paths, ultimately leading to system instability. The vulnerability's design flaw lies in the lack of proper input validation and boundary checking within the optimizer's query processing logic, creating opportunities for attackers to manipulate the execution flow and induce crashes or hangs.
The operational impact of this vulnerability extends beyond simple service disruption to encompass potential data integrity concerns and business continuity risks. When successfully exploited, the vulnerability can cause repeated crashes or indefinite hangs of the MySQL Server process, effectively rendering the database unavailable to legitimate users and applications. Organizations relying on MySQL for critical business operations face significant downtime risks, with potential cascading effects on dependent systems and services. The complete denial of service condition means that database transactions cannot proceed normally, leading to application failures, user access issues, and potential revenue loss during outage periods. This vulnerability particularly affects environments where database performance and availability are critical requirements for business operations.
Mitigation strategies for CVE-2021-35577 should prioritize immediate patching of affected MySQL Server installations to version 8.0.27 or later, which contains the necessary fixes for the optimizer component vulnerability. Organizations should implement network segmentation and access controls to limit exposure of MySQL services to only authorized network segments and users. The principle of least privilege must be enforced by restricting MySQL protocol access to essential administrative accounts and implementing strong authentication mechanisms. Additionally, monitoring systems should be enhanced to detect unusual query patterns or repeated connection attempts that might indicate exploitation attempts. Regular vulnerability assessments and penetration testing should be conducted to identify similar weaknesses in database configurations and access controls, aligning with industry best practices for database security management and compliance requirements.
This vulnerability aligns with CWE-121, which addresses stack-based buffer overflow conditions, and demonstrates how database engine optimization components can create exploitable entry points. From an ATT&CK framework perspective, this vulnerability maps to T1499.004 for network denial of service and T1071.004 for application layer protocol usage, representing how attackers can leverage database protocol implementations for system compromise. The vulnerability's characteristics also reflect common database security issues documented in various security frameworks, emphasizing the importance of proper input validation and resource management in database engine components. Organizations should review their incident response procedures to ensure rapid identification and remediation of similar vulnerabilities, particularly focusing on database security monitoring and threat intelligence integration.