How is CVE-2026-46863 exploited?

Network reachability (required): The attacker must be able to reach the MySQL service over the network; the vulnerability is exposed via multiple protocols on any network-accessible MySQL port. Authentication (not-required): No credentials are needed; the attacker can trigger the flaw as an unauthenticated client before any login handshake completes. Victim interaction (not-required): No user or administrator action is required; the attacker initiates the exploit entirely on their own. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup to succeed.

What is the impact of CVE-2026-46863?

Crashes or hangs the MySQL Server or MySQL Cluster process, taking the database completely offline. Any application or service dependent on the affected MySQL instance loses database connectivity for the duration of the outage. The crash is frequently repeatable, meaning an attacker can sustain the denial of service by re-triggering it after each recovery attempt.

Back to search

HIGHCVE-2026-46863Published 2026-06-16Modified 2026-06-16CNA oracle

CVE-2026-46863: Vulnerability in the MySQL Server, MySQL Cluster product of Oracle MySQL (component: Server: Connection Handling)

Vulnerability in the MySQL Server, MySQL Cluster product of Oracle MySQL (component: Server: Connection Handling). Supported versions that are affected are MySQL Server: 8.4.0-8.4.9, 9.0.0-9.7.0; MySQL Cluster: 8.0.11-8.0.46, 8.4.0-8.4.9 and 9.0.0-9.7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server, MySQL Cluster. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server, MySQL Cluster. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 2

HarborGuard Analysis

Synopsis

A denial-of-service vulnerability exists in the Connection Handling component of Oracle MySQL Server and MySQL Cluster. The flaw is reachable over any network without authentication, meaning any host that can open a connection to the database port can trigger it. Successful exploitation causes MySQL Server or MySQL Cluster to hang or crash repeatedly, taking the database fully offline. No fix versions have been published yet; HarborGuard is tracking this advisory and will surface a patched-image rebuild the moment Oracle releases one.

HarborGuard Coverage

Detection

Detection of CVE-2026-46863 is available across every HarborGuard environment: the CVE is ingested from Oracle and upstream vulnerability feeds within minutes of publication and matched against all customer images, including custom-built images that bundle affected MySQL Server or MySQL Cluster versions. Any image carrying a version in the affected ranges (MySQL Server 8.4.0-8.4.9 or 9.0.0-9.7.0; MySQL Cluster 8.0.11-8.0.46, 8.4.0-8.4.9, or 9.0.0-9.7.0) is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and weights it against each environment's compliance policy to determine escalation priority. Triage findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a remediated version is released. For customers who opt into auto-remediation, the rebuild, regression-test run, and pull request against affected workloads will be initiated without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the MySQL service over the network; the vulnerability is exposed via multiple protocols on any network-accessible MySQL port.
AuthenticationNot required
No credentials are needed; the attacker can trigger the flaw as an unauthenticated client before any login handshake completes.
Victim interactionNot required
No user or administrator action is required; the attacker initiates the exploit entirely on their own.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup to succeed.

Blast Radius

Crashes or hangs the MySQL Server or MySQL Cluster process, taking the database completely offline.
Any application or service dependent on the affected MySQL instance loses database connectivity for the duration of the outage.
The crash is frequently repeatable, meaning an attacker can sustain the denial of service by re-triggering it after each recovery attempt.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-46863, the platform monitors the advisory on every ingest cycle rather than queuing a rebuild. In the meantime, customers can use HarborGuard network-policy controls to restrict which source addresses are permitted to reach MySQL ports, reducing the exposure surface while a patch is pending. Egress filtering and connection-allow-listing rules can be applied at the workload level through HarborGuard's compensating-control recommendations surfaced on the finding detail page. The moment Oracle publishes a remediated version, a patched-image rebuild becomes available automatically; for customers with auto-remediation enabled, this triggers a full rebuild, regression run, and a PR opened against every affected workload without requiring manual steps.

See how HarborGuard automates this

Affected packages

Oracle Corporation / MySQL Server
8.4.0-8.4.9 · 9.0.0-9.7.0
Oracle Corporation / MySQL Cluster
8.0.11-8.0.46 · 8.4.0-8.4.9 · 9.0.0-9.7.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Oracle Advisory

Metrics

Get notified