CVE-2026-32710

Description

MariaDB server is a community developed fork of MySQL server. An authenticated user can crash MariaDB versions 11.4 before 11.4.10 and 11.8 before 11.8.6 via a bug in JSON_SCHEMA_VALID() function. Under certain conditions it might be possible to turn the crash into a remote code execution. These conditions require tight control over memory layout which is generally only attainable in a lab environment. This issue is fixed in MariaDB 11.4.10, MariaDB 11.8.6, and MariaDB 12.2.2.

CVSS Details

CVSS Score

8.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:mariadb:mariadb:12.1.2:*:*:*:*:*:*:* - VULNERABLE

MariaDB 11.4 < 11.4.10

MariaDB 11.8 < 11.8.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

-- PoC for CVE-2026-32710 MariaDB Vulnerability
-- Description: Trigger crash/potential RCE via JSON_SCHEMA_VALID
-- Prerequisites: Valid database user credentials

-- Connect to the target MariaDB instance
-- mysql -u user -p -h target_ip

-- Execute the malicious function call
-- Note: The specific JSON schema structure to trigger the crash
-- depends on the internal memory handling of the specific version.
-- Below is a representation of the attack vector.

SELECT JSON_SCHEMA_VALID(
    '{
      "type": "object",
      "properties": {
        "malicious_key": { "type": "string" }
      },
      "required": ["malicious_key"]
    }',
    '{"malicious_key": "overflow_payload_here"}
');

-- If exploited successfully, the database server process will terminate (Crash).
-- In specific lab conditions (controlled heap layout), this may lead to RCE.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-32710
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-32710
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-32710/
[4] VulDB https://vuldb.com/cve/CVE-2026-32710
[5] https://github.com/MariaDB/server/security/advisories/GHSA-4rj5-2227-9wgc
[6] https://jira.mariadb.org/browse/MDEV-38356

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-32710", "sourceIdentifier": "[email protected]", "published": "2026-03-20T19:16:16.670", "lastModified": "2026-03-31T21:13:18.860", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MariaDB server is a community developed fork of MySQL server. An authenticated user can crash MariaDB versions 11.4 before 11.4.10 and 11.8 before 11.8.6 via a bug in JSON_SCHEMA_VALID() function. Under certain conditions it might be possible to turn the crash into a remote code execution. These conditions require tight control over memory layout which is generally only attainable in a lab environment. This issue is fixed in MariaDB 11.4.10, MariaDB 11.8.6, and MariaDB 12.2.2."}, {"lang": "es", "value": "El servidor MariaDB es una bifurcación desarrollada por la comunidad del servidor MySQL. Un usuario autenticado puede provocar la caída de las versiones de MariaDB 11.4 anteriores a la 11.4.10 y 11.8 anteriores a la 11.8.6 a través de un error en la función JSON_SCHEMA_VALID(). Bajo ciertas condiciones, podría ser posible convertir la caída en una ejecución remota de código. Estas condiciones requieren un control estricto sobre la disposición de la memoria, lo cual generalmente solo es alcanzable en un entorno de laboratorio. Este problema está solucionado en MariaDB 11.4.10, MariaDB 11.8.6 y MariaDB 12.2.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-122"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.4.1", "versionEndExcluding": "11.4.10", "matchCriteriaId": "F554DA54-CB4F-4843-A299-2EC74F7828F2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.8.1", "versionEndExcluding": "11.8.6", "matchCriteriaId": "735F5DEC-670E-4937-85DB-C3696A7BB829"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mariadb:mariadb:12.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "2D463CD2-E30F-4899-9802-5AAA1E2B9048"}]}]}], "references": [{"url": "https://github.com/MariaDB/server/security/advisories/GHSA-4rj5-2227-9wgc", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://jira.mariadb.org/browse/MDEV-38356", "source": "[email protected]", "tags": ["Vendor Advisory", "Issue Tracking"]}]}}