How is CVE-2026-44172 exploited?

Network reachability (required): The attacker must be able to reach the MariaDB-backed application over the network; no prior foothold on the host is needed. Authentication (not-required): No credentials or account are required; the injection is exercisable through any public-facing input that passes data to the affected escaping function. Victim interaction (not-required): No victim action is needed; the attacker sends crafted input directly without relying on a user to click a link or open a file. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race windows, or memory layout knowledge.

What is the impact of CVE-2026-44172?

Reads arbitrary database rows, including stored credentials, session tokens, and user records accessible to the application's database account. Writes or modifies persisted database rows, allowing an attacker to alter application data, escalate privileges within the application, or corrupt records. Availability is not impacted according to the CVSS scoring; the service continues running while data is silently read or tampered with.

Back to search

CRITICALCVE-2026-44172Published 2026-06-12Modified 2026-06-30CNA GitHub_M

CVE-2026-44172: MariaDB: mysql_real_escape_string() incorrectly handled big5

MariaDB server is a community developed fork of MySQL server. In versions 3.3.18 and 3.4.8, an application that was taking non-validated user input, escaping it with mysql_real_escape_string() and sending it to the database using text protocol and big5 character set was vulnerable to SQL injections, even though mysql_real_escape_string() was supposed to prevent them. This issue has been patched in versions 3.3.19 and 3.4.9.

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

SQL injection vulnerability in MariaDB server affects applications using the mysql_real_escape_string() function with the big5 character set. The flaw is reachable over the network with no authentication required, allowing a remote unauthenticated attacker to send crafted input that bypasses the escaping function entirely. Successful exploitation gives the attacker read and write access to the database, enabling theft of stored data and unauthorized modification of database records. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as upstream publishes a fix version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle the MariaDB server package at affected versions 3.3.18 or 3.4.8.

Available

Triage

HarborGuard scores this CVE at CVSS 9.1 (Critical) and applies per-environment compliance policy weighting to prioritize routing; alerts are dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available automatically the moment a fix appears upstream. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once the fix is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the MariaDB-backed application over the network; no prior foothold on the host is needed.
AuthenticationNot required
No credentials or account are required; the injection is exercisable through any public-facing input that passes data to the affected escaping function.
Victim interactionNot required
No victim action is needed; the attacker sends crafted input directly without relying on a user to click a link or open a file.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race windows, or memory layout knowledge.

Blast Radius

Reads arbitrary database rows, including stored credentials, session tokens, and user records accessible to the application's database account.
Writes or modifies persisted database rows, allowing an attacker to alter application data, escalate privileges within the application, or corrupt records.
Availability is not impacted according to the CVSS scoring; the service continues running while data is silently read or tampered with.

How HarborGuard Handles This

Available on HarborGuard: images containing MariaDB server at versions 3.3.18 or 3.4.8 are flagged Critical immediately upon scan. Because no upstream patch has been published as of the CVE record date, HarborGuard monitors the advisory each ingest cycle and will trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression test run and PR against affected workloads the moment a fix version ships. In the interim, compensating controls available within HarborGuard network policy tooling include isolating affected services with egress filtering to restrict which hosts can reach the MariaDB port, applying network policy rules to limit inbound connections to trusted application tiers only, and flagging any pipeline that introduces versions 3.3.18 or 3.4.8 as a build-gate failure until upstream resolution is confirmed.

See how HarborGuard automates this

Affected packages

MariaDB / server
= 3.3.18 · = 3.4.8

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

Metrics

Get notified