Server Crash Vulnerability in MariaDB Products
CVE-2026-35549

6.5MEDIUM

Key Information:

Vendor: Mariadb
Status: Mariadb
Vendor: CVE Published:; 3 April 2026

What is CVE-2026-35549?

A vulnerability exists in MariaDB Server, impacting versions prior to 11.4.10, specific 11.5.x versions before 11.8.6, and 12.x versions prior to 12.2.2. When the caching_sha2_password authentication plugin is used, an excessively large packet can cause the server to crash due to the improper handling of memory allocation within the sha256_crypt_r function.

Affected Version(s)

MariaDB 0 < 11.4.10

MariaDB 11.5.0 < 11.8.6

MariaDB 12.0.0 < 12.2.2

References

https://jira.mariadb.org/browse/MDEV-38365

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 3, 2026
Vulnerability Reserved
Apr 3, 2026

CVE-2026-35549 Data

JSON

Mariadb

What is CVE-2026-35549?

Affected Version(s)

References

CVSS V3.1

Timeline