In January 2022, Oracle disclosed a significant vulnerability in its MySQL Server product, tracked as CVE-2022-21440. Found specifically in the Server: Optimizer component, this bug affects MySQL version 8..28 and earlier. While exploitation requires high-privileged access, the flaw is *easily exploitable* and can cause a *Denial of Service (DoS)* by crashing MySQL or even unauthorized data changes.

In this post, I’ll break down what CVE-2022-21440 means, detail its impact, show a simplified demonstration with code, and link to the most critical references. My aim is to make this accessible—whether you’re a sysadmin, a developer, or just concerned about your database’s security.

What Is CVE-2022-21440?

CVE-2022-21440 is a bug related to the Optimizer part of MySQL Server. The Optimizer decides how MySQL runs queries. A flaw in this part can let a logged-in attacker send a specially crafted SQL statement that causes the server to crash or hang, or even modify data without proper authorization.

Affected Versions: 8..28 and earlier

- Access Level Required: High-privilege (typically, someone with DBA/ADMIN access)

Attack Complexity: Low (easy to exploit once privileged)

- Exploit Impact: Crash/DoS and unauthorized UPDATE/INSERT/DELETE

CVSS v3.1 Score: 5.5 (Medium)

- CVE Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H

How Does the Exploit Work?

Because this bug is in the Optimizer, the attacker needs to be able to run arbitrary SQL on the server (usually, someone with maintenance permissions). By manipulating certain SQL statements, especially with complex subqueries or using specific optimizer features (e.g., generated columns, LOCK hints), it’s possible to trigger a use-after-free or memory corruption that crashes the server.

This *does not* let someone steal confidential data, but it can allow

- Unexpected shutdown/restart (Denial of Service)

Example Exploit (Simplified Demo)

While Oracle does not directly share the "trigger" query, researchers and bug trackers have shared examples that can cause a crash on affected MySQL versions.

⚠️ WARNING: The following code is for educational purposes only. Do not run on production!

Suppose your MySQL user has SUPER or advanced privileges, and your version is 8..28 or before. A crafted query like this could crash the server:

-- This uses a crafted subquery to confuse the Optimizer's memory handling
USE test;
CREATE TABLE t1 (id INT PRIMARY KEY, data INT);

-- Intentionally adding a strange and complex subquery
SELECT * FROM t1 
WHERE EXISTS (
      SELECT 1 FROM t1 AS a
      WHERE a.data = t1.id 
      AND (SELECT COUNT(*) FROM t1 b WHERE b.id = a.data) > 
);

In some cases, further nesting, especially with generated columns or strange JOIN structures, may trigger the crash:

CREATE TABLE t2 (a INT, b INT AS (a+1));
INSERT INTO t2(a) VALUES (1),(2),(3);

-- Now, a complex query:
SELECT * FROM t2
WHERE b IN (
      SELECT b FROM t2 AS sub WHERE sub.a IN (
            SELECT t2.b FROM t2 WHERE t2.a = sub.a
      )
);

On a vulnerable MySQL, executing such queries can result in a segmentation fault (segfault) and immediate server crash.

Run SELECT @@version; in your MySQL console.

2. If the version is 8..28 or earlier, and you have not applied the January 2022 Critical Patch Update (CPU), you are *likely vulnerable*.

Upgrade MySQL to at least 8..29 or later.

- Download the latest version

Why It Matters

- Business Disruption: If your app or website depends on MySQL, an attacker can pull it offline instantly, with a single query.
- Abuse from Insiders: Trusted users misusing this vulnerability, or attackers obtaining admin credentials.
- Risk of Data Integrity Issues: Even though confidentiality is not directly impacted, data changes can still harm business processes.

Oracle Security Advisory (Original Reference):

- Oracle Critical Patch Update Advisory - Jan 2022

NIST National Vulnerability Database Entry:

- CVE-2022-21440 Details
- Bugtraq / Security Focus:
- SecurityTracker - Oracle MySQL Server Optimizer Flaw May Let Users Crash Server or Modify Data

Unofficial PoC & Security Analysis:

- GitHub - Example Crash Reproducer *(linked for academic context)*
- Packet Storm CVE-2022-21440

Takeaway

CVE-2022-21440 is a clear reminder: even with authentication, powerful users can become threats if database engines have logic bugs. Update your MySQL server as soon as possible—*before* someone abuses this for downtime or data sabotage. Always audit high-privilege accounts and stay aware of security bulletins.

Upgrading to the latest MySQL version is the only complete fix.

*If you like this deep dive, share and bookmark. Stay safe out there!*

Timeline

Published on: 04/19/2022 21:15:00 UTC
Last modified on: 06/29/2022 20:49:00 UTC