How to Fix CVE-2026-34308: MySQL Server (Bundle Sibling)

By Sai Kiran Pandrala

Last verified: 2026-05-25

CVE-2026-34308 is a sibling vulnerability in the same vendor advisory as CVE-2026-21998. Applying the patched build named in the primary write-up closes this CVE as well.

What's different about CVE-2026-34308?

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: JSON). Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

The technical impact and remediation are identical to the primary CVE in the bundle. The same vendor patch closes both.

How to fix CVE-2026-34308

Apply the patched build per the primary write-up: How to Fix CVE-2026-21998.

The patch installation procedure, verification commands, and interim mitigations are documented there. Reusing one runbook keeps the rollout consistent across the bundle.

Frequently asked questions

Is CVE-2026-34308 fixed by the same patch as CVE-2026-21998?

Yes. CVE-2026-34308 ships in the same vendor advisory as CVE-2026-21998. Applying the patched build named in the primary write-up closes both.

What is the CVSS score for CVE-2026-34308?

The CVSS base score is 6.5 (Medium).

Is it being exploited?

It is not currently listed in CISA KEV.

References

• Official vendor advisory: https://www.oracle.com/security-alerts/cpuapr2026.html
• NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2026-34308
• CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• Primary write-up: How to Fix CVE-2026-21998

*Part of the MySQL Server bundle. Full procedure at CVE-2026-21998.*