CVE-2021-35642 in MySQL Server
Summary
by MITRE • 10/20/2021
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.26 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/17/2025
The vulnerability identified as CVE-2021-35642 represents a critical availability issue within Oracle MySQL Server's optimizer component affecting versions 8.0.26 and earlier. This flaw resides in the server's query optimization engine which processes and executes database operations, making it a core component of the database system's functionality. The vulnerability's classification as easily exploitable indicates that attackers with high privileges and network access can leverage this weakness to disrupt database operations. The CVSS score of 4.9 reflects the significant impact on system availability, specifically targeting the complete denial of service condition that can cause the MySQL server to hang or repeatedly crash. The attack vector requires network access via multiple protocols, suggesting that the vulnerability can be exploited across various communication channels that MySQL supports. The high privilege requirement indicates that this vulnerability likely requires an authenticated user with sufficient permissions to execute malicious queries or commands that trigger the optimizer malfunction.
The technical nature of this vulnerability stems from improper handling within the MySQL Server's optimizer module, which is responsible for determining the most efficient execution plan for database queries. When specific query patterns or conditions are processed through this component, the optimizer fails to properly manage memory or execution flow, leading to system instability. This behavior manifests as either a complete system hang where the database server becomes unresponsive or repeated crashes that can be triggered continuously by an attacker. The vulnerability's impact on availability aligns with CWE-400 which categorizes issues related to resource exhaustion or improper error handling that can lead to denial of service conditions. The flaw specifically affects the server's ability to maintain consistent operation and respond to legitimate database requests, effectively rendering the database service unavailable to authorized users and applications.
The operational consequences of this vulnerability extend beyond simple service disruption, as it can severely impact business continuity and data availability for organizations relying on MySQL databases. When a MySQL server experiences complete denial of service through repeated crashes or hangs, database applications that depend on this service become unable to process transactions, execute queries, or maintain data integrity. The vulnerability's impact is particularly concerning for production environments where database availability is critical for business operations, potentially leading to significant financial losses, customer service disruptions, and compliance violations. Organizations may experience extended downtime while system administrators work to restore services, and the repeated nature of the crashes can make it difficult to maintain consistent database availability. This vulnerability directly maps to ATT&CK technique T1499 which covers denial of service attacks targeting system availability and T1072 which involves the use of remote services to execute malicious code.
Mitigation strategies for CVE-2021-35642 should prioritize immediate patching of affected MySQL Server installations to version 8.0.27 or later, which contains the necessary fixes for the optimizer component. Organizations should also implement network segmentation and access controls to limit the attack surface, ensuring that only authorized users with proper authentication can access database servers. Monitoring systems should be enhanced to detect unusual patterns of database server crashes or hangs that might indicate exploitation attempts. Database administrators should consider implementing connection pooling and query timeout mechanisms to reduce the impact of potential exploitation attempts. Additionally, regular vulnerability assessments and penetration testing should be conducted to identify and remediate similar issues within the database infrastructure. The fix addresses the root cause by properly handling memory management and execution flow within the optimizer, preventing the conditions that lead to system instability and ensuring continued database availability. Organizations should also review their incident response procedures to ensure rapid identification and containment of similar availability threats that may affect their database environments.