CVE-2026-35549 - Vulnerability Details - OpenCVE

An issue was discovered in MariaDB Server before 11.4.10, 11.5.x through 11.8.x before 11.8.6, and 12.x before 12.2.2. If the caching_sha2_password authentication plugin is installed, and some user accounts are configured to use it, a large packet can crash the server because sha256_crypt_r uses alloca.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00047.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Mariadb	Mariadb

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Mariadb	Mariadb

References

Link	Providers
https://jira.mariadb.org/browse/MDEV-38365

History

Fri, 03 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 03 Apr 2026 10:15:00 +0000

Type	Values Removed	Values Added
Title		Large Packet Crashes MariaDB Server via caching_sha2_password Plugin
First Time appeared		Mariadb Mariadb mariadb
Vendors & Products		Mariadb Mariadb mariadb

Fri, 03 Apr 2026 05:15:00 +0000

Type	Values Removed	Values Added
Description		An issue was discovered in MariaDB Server before 11.4.10, 11.5.x through 11.8.x before 11.8.6, and 12.x before 12.2.2. If the caching_sha2_password authentication plugin is installed, and some user accounts are configured to use it, a large packet can crash the server because sha256_crypt_r uses alloca.
Weaknesses		CWE-789
References		https://jira.mariadb.org/browse/MDEV-38365
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-03T05:00:18.121Z

Updated: 2026-04-03T14:34:04.466Z

Reserved: 2026-04-03T05:00:17.626Z

Link: CVE-2026-35549

Vulnrichment

Updated: 2026-04-03T14:33:57.055Z

NVD

Status : Awaiting Analysis

Published: 2026-04-03T05:16:23.160

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-35549

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-03T09:15:44Z

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35549", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-03T05:00:17.626Z", "datePublished": "2026-04-03T05:00:18.121Z", "dateUpdated": "2026-04-03T14:34:04.466Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MariaDB", "vendor": "MariaDB", "versions": [{"lessThan": "11.4.10", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "11.8.6", "status": "affected", "version": "11.5.0", "versionType": "semver"}, {"lessThan": "12.2.2", "status": "affected", "version": "12.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in MariaDB Server before 11.4.10, 11.5.x through 11.8.x before 11.8.6, and 12.x before 12.2.2. If the caching_sha2_password authentication plugin is installed, and some user accounts are configured to use it, a large packet can crash the server because sha256_crypt_r uses alloca."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-789", "description": "CWE-789 Memory Allocation with Excessive Size Value", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-03T05:00:18.121Z"}, "references": [{"url": "https://jira.mariadb.org/browse/MDEV-38365"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T14:33:50.651023Z", "id": "CVE-2026-35549", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T14:34:04.466Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35549", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T14:33:50.651023Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T14:33:57.055Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "MariaDB", "product": "MariaDB", "versions": [{"status": "affected", "version": "0", "lessThan": "11.4.10", "versionType": "semver"}, {"status": "affected", "version": "11.5.0", "lessThan": "11.8.6", "versionType": "semver"}, {"status": "affected", "version": "12.0.0", "lessThan": "12.2.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://jira.mariadb.org/browse/MDEV-38365"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in MariaDB Server before 11.4.10, 11.5.x through 11.8.x before 11.8.6, and 12.x before 12.2.2. If the caching_sha2_password authentication plugin is installed, and some user accounts are configured to use it, a large packet can crash the server because sha256_crypt_r uses alloca."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-789", "description": "CWE-789 Memory Allocation with Excessive Size Value"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-03T05:00:18.121Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35549", "state": "PUBLISHED", "dateUpdated": "2026-04-03T14:34:04.466Z", "dateReserved": "2026-04-03T05:00:17.626Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-03T05:00:18.121Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,11.4.10)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[11.5.0,11.8.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[12.0.0,12.2.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "MariaDB", "source": "cna", "vendor": "MariaDB"}, "product": "mariadb", "vendor": "mariadb"}], "analysis": {"en": {"generated_at": "2026-04-03T07:50:20.506797+00:00", "value": {"mitigation_remediation": ["Upgrade MariaDB to the latest available version in your release line.", "If immediate upgrade is not possible, disable the caching_sha2_password plugin for all accounts or change accounts to use an alternative authentication plugin."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to MariaDB Server from MariaDB across multiple series. Specifically, all 11.4.x releases older than 11.4.10, every 11.5.x release, every 11.6.x and 11.7.x release, all 11.8.x releases older than 11.8.6, and all 12.0.x, 12.1.x, and 12.2.x releases older than 12.2.2 are vulnerable when the caching_sha2_password plugin is enabled for any account.", "description_and_impact": "A flaw exists in MariaDB Server versions before certain release points, affecting configurations that use the caching_sha2_password authentication plugin. Sending a specially crafted large packet triggers a crash because the sha256_crypt_r function allocates memory on the stack with alloca based on packet size, leading to a stack buffer overflow. The result is a denial of service, where the database process terminates and must be restarted, affecting availability for all users on the affected instance.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate risk. No EPSS score is available, so the exploitation frequency is unclear. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. An attacker would need remote access to the MariaDB server and an account that authenticates via caching_sha2_password to send an oversized packet, making exposed or compromised database instances the most likely targets; isolated internal deployments are less vulnerable."}}}}, "created": "2026-04-03T07:30:58.626504+00:00", "title": "Large Packet Crashes MariaDB Server via caching_sha2_password Plugin", "updated": "2026-04-03T09:15:44.969676+00:00", "vendors": ["mariadb", "mariadb$PRODUCT$mariadb"]}