CVE-2021-35641 in MySQL Serverinfo

Summary

by MITRE • 10/20/2021

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 05/17/2025

The vulnerability identified as CVE-2021-35641 represents a significant availability risk within Oracle MySQL Server's optimizer component, affecting versions 8.0.26 and earlier. This flaw resides in the server's query optimization logic where an attacker with high privileges and network access can trigger a condition that leads to system instability. The vulnerability's classification as easily exploitable indicates that sophisticated attack techniques are not required, making it particularly concerning for production environments where MySQL servers handle critical database operations. The attack vector through multiple protocols suggests that the flaw can be leveraged across various network communication channels, increasing its potential impact surface.

The technical nature of this vulnerability stems from improper handling within the MySQL Server's optimizer module, which is responsible for determining the most efficient execution plan for database queries. When specific query patterns are processed, the optimizer fails to properly validate or manage certain internal states, leading to memory corruption or resource exhaustion conditions. This flaw specifically affects the server's ability to maintain stable operation during query execution, potentially causing the MySQL service to become unresponsive or crash entirely. The complete denial of service condition means that legitimate database operations would be interrupted, potentially affecting business-critical applications that depend on database availability. The CVSS score of 4.9 reflects the moderate to high impact on system availability, particularly when considering that the vulnerability requires only high privileged access rather than administrative privileges, suggesting that compromised accounts with elevated database permissions could be leveraged for this attack.

From an operational perspective, this vulnerability poses substantial risk to database environments where MySQL servers are deployed in production systems. Organizations utilizing affected MySQL versions face potential service disruption that could impact multiple applications simultaneously, especially in scenarios where database connectivity is essential for business operations. The fact that this vulnerability can be triggered through multiple protocols means that attackers could potentially exploit it across different network segments or through various database connection methods. The complete denial of service condition represents a severe impact since database downtime can cascade through dependent systems, affecting user access, data processing capabilities, and overall system reliability. This vulnerability particularly affects environments where database performance optimization is critical, as the optimizer component's instability could compound existing performance issues.

Security practitioners should prioritize immediate remediation of this vulnerability through official Oracle patches or updates to MySQL Server versions beyond 8.0.26. The high privilege requirement for exploitation provides some mitigation in environments where proper access controls are maintained, but organizations should not rely solely on this control given that privilege escalation attacks remain a common threat vector. Network segmentation and access control measures should be reviewed to ensure that only authorized personnel can establish connections to database servers with elevated privileges. The vulnerability's impact aligns with CWE-121, which addresses buffer overflow conditions, and could potentially map to ATT&CK technique T1499.004 for network denial of service attacks, particularly when considering the complete system compromise and availability impact. Organizations should also implement monitoring solutions to detect unusual query patterns or service disruptions that might indicate exploitation attempts, as the vulnerability's behavior could potentially be observed through system logs or performance monitoring tools that track database server stability and resource utilization.

Responsible

Oracle

Reservation

06/28/2021

Disclosure

10/20/2021

Moderation

accepted

CPE

ready

EPSS

0.01883

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!