[debian-mysql] Bug#1126115: mysql-8.0: CVE-2026-21968 CVE-2026-21964 CVE-2026-21948 CVE-2026-21941 CVE-2026-21937 CVE-2026-21936
Moritz Mühlenhoff
jmm at inutil.org
Wed Jan 21 21:56:32 GMT 2026
Package: mysql-8.0
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for mysql-8.0.
CVE-2026-21968[0]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Optimizer). Supported versions that are
| affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily
| exploitable vulnerability allows low privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
CVE-2026-21964[1]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Thread Pooling). Supported versions that are
| affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2026-21948[2]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Optimizer). Supported versions that are
| affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2026-21941[3]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: Optimizer). Supported versions that are
| affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily
| exploitable vulnerability allows high privileged attacker with
| network access via multiple protocols to compromise MySQL Server.
| Successful attacks of this vulnerability can result in unauthorized
| ability to cause a hang or frequently repeatable crash (complete
| DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability
| impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2026-21937[4]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: Server: DDL). Supported versions that are affected are
| 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable
| vulnerability allows high privileged attacker with network access
| via multiple protocols to compromise MySQL Server. Successful
| attacks of this vulnerability can result in unauthorized ability to
| cause a hang or frequently repeatable crash (complete DOS) of MySQL
| Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS
| Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
CVE-2026-21936[5]:
| Vulnerability in the MySQL Server product of Oracle MySQL
| (component: InnoDB). Supported versions that are affected are
| 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable
| vulnerability allows high privileged attacker with network access
| via multiple protocols to compromise MySQL Server. Successful
| attacks of this vulnerability can result in unauthorized ability to
| cause a hang or frequently repeatable crash (complete DOS) of MySQL
| Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS
| Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-21968
https://www.cve.org/CVERecord?id=CVE-2026-21968
[1] https://security-tracker.debian.org/tracker/CVE-2026-21964
https://www.cve.org/CVERecord?id=CVE-2026-21964
[2] https://security-tracker.debian.org/tracker/CVE-2026-21948
https://www.cve.org/CVERecord?id=CVE-2026-21948
[3] https://security-tracker.debian.org/tracker/CVE-2026-21941
https://www.cve.org/CVERecord?id=CVE-2026-21941
[4] https://security-tracker.debian.org/tracker/CVE-2026-21937
https://www.cve.org/CVERecord?id=CVE-2026-21937
[5] https://security-tracker.debian.org/tracker/CVE-2026-21936
https://www.cve.org/CVERecord?id=CVE-2026-21936
Please adjust the affected versions in the BTS as needed.
More information about the pkg-mysql-maint
mailing list