{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34319", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2026-03-26T19:48:45.681Z", "datePublished": "2026-04-21T20:35:40.067Z", "dateUpdated": "2026-04-21T20:35:40.067Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-04-21T20:35:40.067Z"}, "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Shell executes to compromise MySQL Shell. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Shell."}]}], "affected": [{"vendor": "Oracle Corporation", "product": "MySQL Shell", "versions": [{"version": "8.0.0", "status": "affected", "lessThanOrEqual": "8.0.45", "versionType": "custom"}, {"version": "8.4.0", "status": "affected", "lessThanOrEqual": "8.4.8", "versionType": "custom"}, {"version": "9.0.0", "status": "affected", "lessThanOrEqual": "9.6.0", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:mysql_shell:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0.0", "versionEndIncluding": "8.0.45"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:mysql_shell:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.4.0", "versionEndIncluding": "8.4.8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:mysql_shell:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndIncluding": "9.6.0"}]}]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Shell executes to compromise MySQL Shell. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Shell. CVSS 3.1 Base Score 5.0 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H)."}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuapr2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5, "baseSeverity": "MEDIUM"}}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the MySQL Shell product of Oracle MySQL (component: Shell: Core Client). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Shell executes to compromise MySQL Shell. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Shell. CVSS 3.1 Base Score 5.0 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H)."}], "id": "CVE-2026-34319", "lastModified": "2026-04-21T21:16:37.487", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 3.6, "source": "secalert_us@oracle.com", "type": "Primary"}]}, "published": "2026-04-21T21:16:37.487", "references": [{"source": "secalert_us@oracle.com", "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T02:19:25.264494+00:00", "value": {"mitigation_remediation": ["Apply the latest MySQL Shell update that removes the crash condition", "If an immediate update is not possible, limit Shell usage to trusted accounts or disable its service in production environments", "Monitor system logs for repeated crash events and enforce alerts on unresponsive Shell processes"], "summary": {"action": "Monitor", "impact": "Denial of Service from local crash"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in Oracle MySQL Shell for all supported releases from 8.0.0 to 8.0.45, 8.4.0 to 8.4.8, and 9.0.0 to 9.6.0. All installations of the Shell running under these versions are potentially affected.", "description_and_impact": "An attacker who can log on to the host where MySQL Shell runs can trigger a crash or hang in the Shell component, resulting in a complete denial of service. The flaw is a local, low\u2011privilege vulnerability that does not grant elevated privileges or data disclosure but can bring the Shell process to an unresponsive state. The CVSS base score of 5.0 reflects an impact on availability only, with an attack vector of local access and required user interaction.", "risk_and_exploitability": "Because the flaw requires an attacker to run commands locally within MySQL Shell and an additional human to trigger the crash, the likelihood of successful exploitation is limited to environments where an attacker can obtain logon access. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation. The moderate CVSS score suggests some risk to local availability, but the attack requires user interaction beyond the initial attacker, reducing overall exploitation probability."}}}}, "created": "2026-04-22T02:30:05.612898+00:00", "title": "Local Denial\u2011of\u2011Service via Crash in Oracle MySQL Shell", "updated": "2026-04-22T02:30:05.612908+00:00", "vendors": [], "weaknesses": ["CWE-734"]}