CVE-2021-35612 in MySQL Server
Summary
by MITRE • 10/20/2021
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H).
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/17/2025
The vulnerability identified as CVE-2021-35612 represents a significant security flaw within Oracle MySQL Server's optimizer component affecting versions 8.0.26 and earlier. This issue falls under the Common Weakness Enumeration category CWE-121, which deals with stack-based buffer overflow conditions, though the specific manifestation in this case involves query optimization routines that can be manipulated through carefully crafted SQL statements. The vulnerability's classification as easily exploitable indicates that an attacker with high privileges and network access can leverage this weakness to compromise the database server's integrity and availability.
The technical flaw manifests when the MySQL Server's optimizer processes certain complex SQL queries that trigger memory corruption within the query execution engine. This corruption occurs during the optimization phase where the server attempts to analyze and plan execution paths for queries involving specific join operations and subqueries. The vulnerability allows an authenticated attacker with sufficient privileges to craft malicious queries that can cause the MySQL server process to crash repeatedly or enter a state where it becomes unresponsive, effectively creating a denial of service condition. The attack vector requires network access and high privileges, meaning that the attacker must already have legitimate access to the database server with elevated permissions.
The operational impact of this vulnerability extends beyond simple service disruption to include potential data integrity compromise. Successful exploitation can result in unauthorized modification of database content, allowing attackers to insert, update, or delete data within the MySQL Server's accessible data stores. The CVSS score of 5.5 reflects the balance between the availability impact (high) and the integrity impact (low to moderate), indicating that while the primary concern is system availability through denial of service, there is also a risk of data manipulation. This vulnerability particularly affects organizations running older MySQL versions where patching may not have been completed, leaving systems exposed to potential exploitation by sophisticated attackers.
Organizations should prioritize immediate patching of affected MySQL Server installations to address this vulnerability, as the CVSS vector indicates the attack requires low complexity and high privileges but can result in significant availability disruption. The mitigation strategy should include implementing proper access controls to limit high-privileged database accounts and monitoring for unusual query patterns that might indicate exploitation attempts. Additionally, organizations should consider implementing network segmentation and intrusion detection systems to monitor for potential exploitation attempts. The vulnerability demonstrates the importance of keeping database software updated, as this issue was resolved in later MySQL versions through improved query optimization routines and memory management. Security teams should also conduct regular vulnerability assessments to identify other potential attack vectors within database environments and ensure that all database components are maintained at supported versions to prevent similar issues from arising.