CVE-2024-21055 in MySQL Server
Summary
by MITRE • 04/17/2024
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.35 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/06/2025
The vulnerability identified as CVE-2024-21055 resides within the MySQL Server optimizer component of Oracle MySQL, affecting versions 8.0.35 and earlier. This represents a significant security concern as it operates within the core database engine's query optimization logic, which is fundamental to database operations. The vulnerability's classification as easily exploitable indicates that attackers with high privileges and network access can leverage this flaw to compromise the MySQL server, making it particularly dangerous in environments where database administrators maintain elevated access levels.
The technical flaw manifests in the server's optimizer module, which is responsible for determining the most efficient execution plan for database queries. When specific query patterns are processed through this component, the optimizer fails to properly handle certain edge cases or malformed inputs, leading to memory corruption or resource exhaustion conditions. This flaw operates at a deep level within the database engine's execution pipeline, where query optimization decisions are made, making it particularly challenging to detect and prevent through standard network-level security measures.
The operational impact of this vulnerability extends beyond simple data integrity concerns to encompass complete system availability disruption. Successful exploitation results in a denial of service condition where the MySQL server becomes unresponsive or crashes repeatedly, effectively rendering the database service unavailable to legitimate users and applications. This complete denial of service scenario can have cascading effects throughout enterprise environments where MySQL serves as a critical backend component for applications, potentially causing widespread service outages and business disruption.
The CVSS 3.1 scoring of 4.9 reflects the vulnerability's medium severity in terms of exploitability but high impact on availability. The vector assessment (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H) indicates that network-based attacks are possible with low complexity, requiring only high privileged access, and can result in complete availability impact without requiring user interaction or causing confidentiality or integrity breaches. This vulnerability aligns with CWE-121, which describes stack-based buffer overflow conditions, and may also relate to CWE-129, representing insufficient validation of the length of input data, both commonly exploited in database server contexts.
Organizations should prioritize immediate patching of affected MySQL server installations to address this vulnerability, as the flaw affects the core database engine functionality and can be exploited by attackers with elevated privileges. The recommended mitigation strategy involves upgrading to MySQL 8.0.36 or later versions where this vulnerability has been addressed through improved input validation and memory management within the optimizer component. Additionally, implementing network segmentation and privilege least-privilege principles can help reduce the attack surface, while monitoring for unusual query patterns or system resource consumption may provide early detection of potential exploitation attempts. Security teams should also consider implementing database activity monitoring solutions to track query execution patterns that might trigger the vulnerable code path, ensuring comprehensive protection against this availability-focused threat.