CVE-2026-32710

CVE-2026-32710 is a heap-based buffer overflow vulnerability (CWE-122) in the JSON_SCHEMA_VALID() function of MariaDB server, a community-developed fork of MySQL server. It affects MariaDB versions 11.4 prior to 11.4.10 and 11.8 prior to 11.8.6. An authenticated user can trigger the issue, leading to a server crash. The vulnerability carries a CVSS v3.1 base score of 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H), reflecting high impact potential despite elevated attack complexity.

An attacker with low-privilege authenticated access over the network can exploit this vulnerability by invoking the flawed JSON_SCHEMA_VALID() function, causing a denial-of-service via server crash. Under specific conditions requiring precise control over memory layout—typically feasible only in controlled lab environments—the crash could potentially escalate to remote code execution, granting high confidentiality, integrity, and availability impacts with a scope change.

MariaDB has addressed the issue in versions 11.4.10, 11.8.6, and 12.2.2. Official advisories, including the GitHub Security Advisory at https://github.com/MariaDB/server/security/advisories/GHSA-4rj5-2227-9wgc and the Jira ticket at https://jira.mariadb.org/browse/MDEV-38356, recommend upgrading to these patched releases as the primary mitigation.