CVE-2026-32710 (GCVE-0-2026-32710)

Vulnerability from cvelistv5 – Published: 2026-03-20 18:31 – Updated: 2026-03-27 03:55
VLAI?
Title
Heap-based Buffer Overflow in MariaDB
Summary
MariaDB server is a community developed fork of MySQL server. An authenticated user can crash MariaDB versions 11.4 before 11.4.10 and 11.8 before 11.8.6 via a bug in JSON_SCHEMA_VALID() function. Under certain conditions it might be possible to turn the crash into a remote code execution. These conditions require tight control over memory layout which is generally only attainable in a lab environment. This issue is fixed in MariaDB 11.4.10, MariaDB 11.8.6, and MariaDB 12.2.2.
Severity ?
8.6 (High)
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE
  • CWE-122 - Heap-based Buffer Overflow
Assigner
References
Impacted products
Vendor Product Version
MariaDB server Affected: >= 11.4.1, < 11.4.10
Affected: >= 11.8.1, < 11.8.6
Affected: >= 12.1.2, < 12.2.2
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32710",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-26T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T03:55:38.121Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "server",
          "vendor": "MariaDB",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 11.4.1, \u003c 11.4.10"
            },
            {
              "status": "affected",
              "version": "\u003e= 11.8.1, \u003c 11.8.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 12.1.2, \u003c 12.2.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "MariaDB server is a community developed fork of MySQL server. An authenticated user can crash MariaDB versions 11.4 before 11.4.10 and 11.8 before 11.8.6 via a bug in JSON_SCHEMA_VALID() function. Under certain conditions it might be possible to turn the crash into a remote code execution. These conditions require tight control over memory layout which is generally only attainable in a lab environment. This issue is fixed in MariaDB 11.4.10, MariaDB 11.8.6, and MariaDB 12.2.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122: Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-20T18:31:48.870Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/MariaDB/server/security/advisories/GHSA-4rj5-2227-9wgc",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/MariaDB/server/security/advisories/GHSA-4rj5-2227-9wgc"
        },
        {
          "name": "https://jira.mariadb.org/browse/MDEV-38356",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.mariadb.org/browse/MDEV-38356"
        }
      ],
      "source": {
        "advisory": "GHSA-4rj5-2227-9wgc",
        "discovery": "UNKNOWN"
      },
      "title": "Heap-based Buffer Overflow in MariaDB"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32710",
    "datePublished": "2026-03-20T18:31:48.870Z",
    "dateReserved": "2026-03-13T14:33:42.824Z",
    "dateUpdated": "2026-03-27T03:55:38.121Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-32710\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T19:16:16.670\",\"lastModified\":\"2026-03-31T21:13:18.860\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"MariaDB server is a community developed fork of MySQL server. An authenticated user can crash MariaDB versions 11.4 before 11.4.10 and 11.8 before 11.8.6 via a bug in JSON_SCHEMA_VALID() function. Under certain conditions it might be possible to turn the crash into a remote code execution. These conditions require tight control over memory layout which is generally only attainable in a lab environment. This issue is fixed in MariaDB 11.4.10, MariaDB 11.8.6, and MariaDB 12.2.2.\"},{\"lang\":\"es\",\"value\":\"El servidor MariaDB es una bifurcaci\u00f3n desarrollada por la comunidad del servidor MySQL. Un usuario autenticado puede provocar la ca\u00edda de las versiones de MariaDB 11.4 anteriores a la 11.4.10 y 11.8 anteriores a la 11.8.6 a trav\u00e9s de un error en la funci\u00f3n JSON_SCHEMA_VALID(). Bajo ciertas condiciones, podr\u00eda ser posible convertir la ca\u00edda en una ejecuci\u00f3n remota de c\u00f3digo. Estas condiciones requieren un control estricto sobre la disposici\u00f3n de la memoria, lo cual generalmente solo es alcanzable en un entorno de laboratorio. Este problema est\u00e1 solucionado en MariaDB 11.4.10, MariaDB 11.8.6 y MariaDB 12.2.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-122\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.4.1\",\"versionEndExcluding\":\"11.4.10\",\"matchCriteriaId\":\"F554DA54-CB4F-4843-A299-2EC74F7828F2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.8.1\",\"versionEndExcluding\":\"11.8.6\",\"matchCriteriaId\":\"735F5DEC-670E-4937-85DB-C3696A7BB829\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mariadb:mariadb:12.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2D463CD2-E30F-4899-9802-5AAA1E2B9048\"}]}]}],\"references\":[{\"url\":\"https://github.com/MariaDB/server/security/advisories/GHSA-4rj5-2227-9wgc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://jira.mariadb.org/browse/MDEV-38356\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\",\"Issue Tracking\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32710\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-20T21:25:17.333870Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-20T21:25:26.081Z\"}}], \"cna\": {\"title\": \"Heap-based Buffer Overflow in MariaDB\", \"source\": {\"advisory\": \"GHSA-4rj5-2227-9wgc\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"MariaDB\", \"product\": \"server\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 11.4.1, \u003c 11.4.10\"}, {\"status\": \"affected\", \"version\": \"\u003e= 11.8.1, \u003c 11.8.6\"}, {\"status\": \"affected\", \"version\": \"\u003e= 12.1.2, \u003c 12.2.2\"}]}], \"references\": [{\"url\": \"https://github.com/MariaDB/server/security/advisories/GHSA-4rj5-2227-9wgc\", \"name\": \"https://github.com/MariaDB/server/security/advisories/GHSA-4rj5-2227-9wgc\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://jira.mariadb.org/browse/MDEV-38356\", \"name\": \"https://jira.mariadb.org/browse/MDEV-38356\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"MariaDB server is a community developed fork of MySQL server. An authenticated user can crash MariaDB versions 11.4 before 11.4.10 and 11.8 before 11.8.6 via a bug in JSON_SCHEMA_VALID() function. Under certain conditions it might be possible to turn the crash into a remote code execution. These conditions require tight control over memory layout which is generally only attainable in a lab environment. This issue is fixed in MariaDB 11.4.10, MariaDB 11.8.6, and MariaDB 12.2.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-122\", \"description\": \"CWE-122: Heap-based Buffer Overflow\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-20T18:31:48.870Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-32710\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-27T03:55:38.121Z\", \"dateReserved\": \"2026-03-13T14:33:42.824Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T18:31:48.870Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.