{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21998", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2026-01-05T18:07:34.723Z", "datePublished": "2026-04-21T20:34:59.321Z", "dateUpdated": "2026-04-22T14:03:33.673Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-04-21T20:34:59.321Z"}, "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server."}]}], "affected": [{"vendor": "Oracle Corporation", "product": "MySQL Server", "versions": [{"version": "8.0.0", "status": "affected", "lessThanOrEqual": "8.0.45", "versionType": "custom"}, {"version": "8.4.0", "status": "affected", "lessThanOrEqual": "8.4.8", "versionType": "custom"}, {"version": "9.0.0", "status": "affected", "lessThanOrEqual": "9.6.0", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndIncluding": "8.0.45"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.4.0", "versionEndIncluding": "8.4.8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndIncluding": "9.6.0"}]}]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)."}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuapr2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.9, "baseSeverity": "MEDIUM"}}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T14:03:29.125075Z", "id": "CVE-2026-21998", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T14:03:33.673Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21998", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T14:03:29.125075Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T14:03:25.747Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Oracle Corporation", "product": "MySQL Server", "versions": [{"status": "affected", "version": "8.0.0", "versionType": "custom", "lessThanOrEqual": "8.0.45"}, {"status": "affected", "version": "8.4.0", "versionType": "custom", "lessThanOrEqual": "8.4.8"}, {"status": "affected", "version": "9.0.0", "versionType": "custom", "lessThanOrEqual": "9.6.0"}]}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuapr2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server."}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "8.0.45", "versionStartIncluding": "8.0.0"}, {"criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "8.4.8", "versionStartIncluding": "8.4.0"}, {"criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "9.6.0", "versionStartIncluding": "9.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-04-21T20:34:59.321Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21998", "state": "PUBLISHED", "dateUpdated": "2026-04-22T14:03:33.673Z", "dateReserved": "2026-01-05T18:07:34.723Z", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "datePublished": "2026-04-21T20:34:59.321Z", "assignerShortName": "oracle"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "523E15F1-A21A-4D5D-82D5-2EB73B972AD9", "versionEndIncluding": "8.0.45", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "427409D3-F331-4EA0-BEB7-F95594E81B2B", "versionEndIncluding": "8.4.8", "versionStartIncluding": "8.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "3CFD5AEC-ACAB-4F9E-8668-87A0CBD186CB", "versionEndIncluding": "9.6.0", "versionStartIncluding": "9.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)."}], "id": "CVE-2026-21998", "lastModified": "2026-04-23T15:04:45.970", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "secalert_us@oracle.com", "type": "Secondary"}]}, "published": "2026-04-21T21:16:24.863", "references": [{"source": "secalert_us@oracle.com", "tags": ["Vendor Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "mysql: Optimizer unspecified vulnerability (CPU Apr 2026)", "id": "2460312", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460312"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-770", "details": ["Oracle CPU describes the issue as following: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server."], "name": "CVE-2026-21998", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "mysql8.4", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "mysql", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "mysql:8.0/mysql", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "mysql:8.4/mysql", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "mysql", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "mysql:8.4/mysql", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-21998\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-21998\nhttps://www.oracle.com/security-alerts/cpuapr2026.html\nhttps://www.oracle.com/security-alerts/cpuapr2026.html#AppendixMSQL"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Oracle MySQL Critical Patch Update.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,8.0.45]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.4.0,8.4.8]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.6.0]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "MySQL Server", "source": "cna", "vendor": "Oracle Corporation"}, "product": "mysql_server", "vendor": "oracle"}], "analysis": {"en": {"generated_at": "2026-04-22T05:21:38.974663+00:00", "value": {"mitigation_remediation": ["Upgrade Oracle MySQL Server to a non\u2011vulnerable release (8.0.46+, 8.4.9+, or 9.6.1+).", "Restrict privileged network access to the MySQL Server and enforce the principle of least privilege for client accounts.", "Implement monitoring for unexpected hangs or crashes and configure alerting to detect repeatable denial\u2011of\u2011service patterns."], "summary": {"action": "Patch immediately", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Oracle MySQL Server versions 8.0.0 through 8.0.45, 8.4.0 through 8.4.8, and 9.0.0 through 9.6.0 are vulnerable. Users running these releases should verify their deployment against the Oracle CPU April 2026 advisory.", "description_and_impact": "Vulnerability discovered in the Optimizer component of Oracle MySQL Server allows an attacker with high privileges to trigger a hang or crash, resulting in a denial of service. The flaw is exploitable over the network using any supported protocol and requires an attacker to possess elevated privileges. Once triggered, the server becomes unavailable, impacting only availability with no direct effect on confidentiality or integrity. The CVSS 3.1 base score of 4.9 reflects a low to medium severity availability vulnerability.", "risk_and_exploitability": "Because the CVSS score indicates moderate availability impact and the EPSS is not available, the exploitation likelihood is uncertain but not considered high. The vulnerability is not listed in the CISA KEV catalog, indicating no confirmed widespread exploitation. An attacker with network connectivity and elevated privileges could exploit the flaw by sending malformed optimizer requests, leading to a crash. Standard denial\u2011of\u2011service defenses such as monitoring for repeated crashes and restricting privileged network access mitigate the risk."}}}}, "created": "2026-04-22T01:45:05.392302+00:00", "title": "Denial-of-Service via Optimizer Component Crash in Oracle MySQL Server", "updated": "2026-04-22T05:30:09.554082+00:00", "vendors": ["oracle", "oracle$PRODUCT$mysql_server"], "weaknesses": ["CWE-400"]}