CVE CyberSecurity Database News

CVE-2023-52968 - Critical MariaDB Crash via Unprepared Derived Tables Explained

Poster -

CVE-2023-52968 is a serious vulnerability that was discovered in several MariaDB Server versions. The bug can lead to a server crash due to improper handling of derived tables that haven’t been prepared. If you use MariaDB, you need to understand this risk and what steps to take to stay safe. Below, you'll find a simple explanation, a code snippet that demonstrates the problem, details on how attackers could exploit it, and relevant official resources.

11.1 before 11.1.4

The issue arises because MariaDB sometimes calls the fix_fields_if_needed function from mysql_derived_prepare even though the "derived" table is not yet prepared. This can cause the internal function find_field_in_table to crash, potentially bringing down the whole database process.

Why Is This Important?

If a user with SQL access can trigger this crash, they can cause a Denial-of-Service (DoS) by making the MariaDB server stop working, taking your applications offline until manual intervention is made. In some environments, this could have cascading effects on availability and profits.

How Does It Work?

The bug is a logic problem in the MariaDB source code. Here’s a simplified step-by-step look at what happens:

The query's preparation phase calls mysql_derived_prepare.

3. In some cases, this function calls fix_fields_if_needed before the derived table (subquery) is actually ready/prepared.
4. fix_fields_if_needed then calls find_field_in_table, but because the table isn’t set up, this results in a crash — typically a segmentation fault.

Here’s a SQL query example that could cause MariaDB to crash on a vulnerable version

SELECT *
FROM (
    SELECT 1 AS a
    FROM (SELECT 1 AS b) AS t1
    WHERE (SELECT b) IS NULL
) AS t2;

This kind of nested subquery confuses MariaDB's internal handling, because it tries to resolve fields in a derived table that isn’t fully prepared.

Proof-of-Concept (PoC) Exploit

You can test if your server is vulnerable with this minimal SQL exploit, using the MariaDB CLI or any MariaDB client connection:

-- This may crash MariaDB if unpatched!
CREATE TABLE test1 AS SELECT 1;

SELECT *
FROM (
    SELECT *
    FROM (SELECT 1 AS c) AS t3
    WHERE (SELECT c FROM test1) IS NULL
) AS t2;

Warning: This will cause an immediate or near-immediate crash in affected MariaDB installations. Never run this on a production server!

How Could Attackers Abuse This?

An attacker with database query access (e.g., via a web application, database client, or script) could simply run a crafted query like the above and knock out the server. Websites, applications, and services depending on MariaDB will become unavailable, and any unsaved transactions could be lost or corrupted.

Official Patch and Fix

MariaDB developers promptly released patches after the report. The affected versions have been fixed as follows:

MariaDB Official Security Advisory:

https://mariadb.com/kb/en/mariadb-10433-release-notes/

CVE Details on NVD:

https://nvd.nist.gov/vuln/detail/CVE-2023-52968

MariaDB Bug Report (MDEV-33556):

https://jira.mariadb.org/browse/MDEV-33556

What Should You Do?

1. Upgrade to a patched version as soon as possible.
2. Restrict who can run arbitrary queries on your MariaDB server.
3. Monitor logs for strange or unexpected subquery usage.

Summary

CVE-2023-52968 reminds us that complex database software sometimes fails in unexpected ways, even with valid SQL. By understanding the bug, using the supplied exploit to check your own MariaDB server, and upgrading rapidly, you can keep your database secure and avoid costly downtime.

If you’re unsure whether your system is safe, update MariaDB now!

*Stay safe, keep your software patched, and always test in dev before production.*

Timeline

Published on: 03/08/2025 23:15:13 UTC