Use-After-Free Vulnerability in MariaDB Server by MariaDB Corporation
CVE-2022-27456

7.5HIGH

Key Information:

Vendor

Mariadb

Status
Mariadb
Vendor
CVE Published:
14 April 2022

What is CVE-2022-27456?

A use-after-free vulnerability has been identified in MariaDB Server, specifically in the VDec::VDec component located within the /sql/sql_type.cc file. This flaw affects versions 10.6.3 and below, allowing attackers to potentially exploit the application's memory management errors. By manipulating objects after they have been freed, malicious actors may execute arbitrary code or create instability within the database system, posing serious security risks. Users of affected versions should prioritize updating to avoid potential exploitation.

References

https://jira.mariadb.org/browse/MDEV-28093
x_refsource_MISC
https://security.netapp.com/advisory/ntap-20220526-0007/
x_refsource_CONFIRM
https://lists.debian.org/debian-lts-announce/2022/09/msg0...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.