Oracle MySQL Cluster 8.0.x < 8.0.45 (January 2026 CPU)

🗓️ 22 Jan 2026 00:00:00Reported by TenableType

Multiple MySQL Cluster versions affected by CVE-2026-21936 enabling remote denial of service.

Reporter	Title	Published	Views	Family All 387
IBM Security Bulletins	Security Bulletin: IBM Instana Observability has addressed Multiple Vulnerabilities within Instana Agent container image	3 Mar 202613:53	–	ibm
IBM Security Bulletins	Security Bulletin: TSSC/IMC is vulnerable to an Out-of-bounds Read	23 Dec 202516:47	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Financial Transaction Manager is impacted by an out-of-bounds read vulnerability in RedHat Proxy for Kubernetes RBAC authorization	30 Oct 202518:05	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Observability with Instana (OnPrem)	29 Jan 202613:44	–	ibm
FreeBSD	MySQL -- Multiple vulnerabilities	20 Jan 202600:00	–	freebsd
ATTACKERKB	CVE-2025-5318	24 Jun 202514:15	–	attackerkb
ATTACKERKB	CVE-2026-21936	20 Jan 202621:56	–	attackerkb
Tenable Nessus	Amazon Linux 2023 : libssh, libssh-config, libssh-devel (ALAS2023-2025-1155)	8 Sep 202500:00	–	nessus
Tenable Nessus	Alibaba Cloud Linux 3 : 0178: libssh (ALINUX3-SA-2025:0178)	17 Nov 202500:00	–	nessus
Tenable Nessus	AlmaLinux 10 : libssh (ALSA-2025:18231)	17 Oct 202500:00	–	nessus

Source	Link
oracle	www.oracle.com/docs/tech/security-alerts/cpuapr2026csaf.json
oracle	www.oracle.com/docs/tech/security-alerts/cpujan2026csaf.json
oracle	www.oracle.com/security-alerts/cpuapr2026.html
oracle	www.oracle.com/security-alerts/cpujan2026.html
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(294979);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/23");

  script_cve_id(
    "CVE-2025-5318",
    "CVE-2026-21936"
  );

  script_name(english:"Oracle MySQL Cluster 8.0.x < 8.0.45 (January 2026 CPU)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The versions of MySQL Cluster installed on the remote host are affected by multiple vulnerabilities as referenced
in the January 2026 and April 2026 CPU advisories.

  - Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions
    that are affected are 7.6.0-7.6.36, 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable
    vulnerability allows high privileged attacker with network access via multiple protocols to compromise
    MySQL Cluster. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang
    or frequently repeatable crash (complete DOS) of MySQL Cluster. (CVE-2026-21936)

  - Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General (libssh)). Supported
    versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability
    allows low privileged attacker with network access via multiple protocols to compromise MySQL Cluster.
    Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some
    of MySQL Cluster accessible data as well as unauthorized read access to a subset of MySQL Cluster accessible
    data. (CVE-2025-5318)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported
version number.");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/docs/tech/security-alerts/cpuapr2026csaf.json");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/docs/tech/security-alerts/cpujan2026csaf.json");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpuapr2026.html");
  script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/security-alerts/cpujan2026.html");
  script_set_attribute(attribute:"solution", value:
"Apply the appropriate patch according to the January / April 2026 Oracle Critical Patch Update advisories.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:M/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-21936");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2025-5318");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/01/20");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/01/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/22");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:mysql_cluster");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Databases");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("mysql_version.nasl", "mysql_login.nasl");
  script_require_ports("Services/mysql", 3306);

  exit(0);
}

include('mysql_version.inc');

mysql_check_version(variant:'Cluster', fixed:'8.0.45', min:'8.0', severity:SECURITY_WARNING);

23 Apr 2026 00:00Current

6.6Medium risk

Vulners AI Score6.6

CVSS 3.18.1

EPSS0.00178

SSVC