usn-8536-1
Vulnerability from osv_ubuntu
Published
2026-07-14 11:45
Modified
2026-07-14 11:45
Summary
mariadb vulnerabilities
Details

It was discovered that MariaDB did not properly validate parameters supplied by a joiner node during a State Snapshot Transfer using the mariabackup method. An attacker could possibly use this issue to execute arbitrary shell commands on the donor node. (CVE-2026-44168)

It was discovered that MariaDB did not properly enforce the SHOW CREATE ROUTINE privilege when a user obtained access to a stored routine via a role. An authenticated user could possibly use this issue to obtain sensitive information. (CVE-2026-44169)

It was discovered that MariaDB's mbstream utility did not properly validate paths when unpacking archives. An attacker could possibly use this issue to write files outside of the intended target directory. (CVE-2026-44171)

It was discovered that MariaDB's mysql_real_escape_string() function incorrectly handled the big5 character set. An attacker could possibly use this issue to perform SQL injection attacks. (CVE-2026-44172)

It was discovered that MariaDB did not properly check the FILE privilege when the FROM clause of a SELECT ... INTO OUTFILE or SELECT ... INTO DUMPFILE statement contained only subqueries. An authenticated user could possibly use this issue to write files to unintended locations. (CVE-2026-44173)

It was discovered that MariaDB did not properly validate parameters supplied by a joiner node during a State Snapshot Transfer using the rsync method. An attacker could possibly use this issue to execute arbitrary shell commands on the donor node. (CVE-2026-48163)

It was discovered that MariaDB allowed a high-privileged user to set certain Galera system variables to values containing shell commands, which were then executed by the server process. An authenticated user could possibly use this issue to execute arbitrary shell commands. (CVE-2026-48165)

It was discovered that MariaDB executed shell commands embedded in the name of a joiner node when wsrep_notify_cmd was enabled. A remote attacker could possibly use this issue to execute arbitrary shell commands. (CVE-2026-49261)


{
  "affected": [
    {
      "database_specific": {
        "cves_map": {
          "cves": [
            {
              "id": "CVE-2026-44168",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-44169",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-44171",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-44172",
              "severity": [
                {
                  "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
                  "type": "CVSS_V4"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-44173",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-48163",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-48165",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2026-49261",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            }
          ],
          "ecosystem": "Ubuntu:26.04:LTS"
        }
      },
      "ecosystem_specific": {
        "availability": "No subscription required",
        "binaries": [
          {
            "binary_name": "libmariadb-dev-compat",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "libmariadb3",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "libmariadbd19t64",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "mariadb-backup",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "mariadb-client",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "mariadb-client-compat",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "mariadb-client-core",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "mariadb-common",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "mariadb-plugin-connect",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "mariadb-plugin-connect-jdbc",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "mariadb-plugin-cracklib-password-check",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "mariadb-plugin-gssapi-client",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "mariadb-plugin-gssapi-server",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "mariadb-plugin-hashicorp-key-management",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "mariadb-plugin-mroonga",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "mariadb-plugin-oqgraph",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "mariadb-plugin-provider-bzip2",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "mariadb-plugin-provider-lz4",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "mariadb-plugin-provider-lzma",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "mariadb-plugin-provider-lzo",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "mariadb-plugin-provider-snappy",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "mariadb-plugin-rocksdb",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "mariadb-plugin-s3",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "mariadb-plugin-spider",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "mariadb-server",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "mariadb-server-compat",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "mariadb-server-core",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "mariadb-test",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          },
          {
            "binary_name": "mariadb-test-data",
            "binary_version": "1:11.8.6-5ubuntu0.1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:26.04:LTS",
        "name": "mariadb",
        "purl": "pkg:deb/ubuntu/mariadb@1:11.8.6-5ubuntu0.1?arch=source\u0026distro=resolute"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1:11.8.6-5ubuntu0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1:11.8.3-1build1",
        "1:11.8.5-1",
        "1:11.8.5-2",
        "1:11.8.5-3",
        "1:11.8.5-4",
        "1:11.8.6-1",
        "1:11.8.6-3",
        "1:11.8.6-4",
        "1:11.8.6-5"
      ]
    }
  ],
  "aliases": [],
  "details": "It was discovered that MariaDB did not properly validate parameters\nsupplied by a joiner node during a State Snapshot Transfer using the\nmariabackup method. An attacker could possibly use this issue to execute\narbitrary shell commands on the donor node. (CVE-2026-44168)\n\nIt was discovered that MariaDB did not properly enforce the SHOW CREATE\nROUTINE privilege when a user obtained access to a stored routine via a\nrole. An authenticated user could possibly use this issue to obtain\nsensitive information. (CVE-2026-44169)\n\nIt was discovered that MariaDB\u0027s mbstream utility did not properly validate\npaths when unpacking archives. An attacker could possibly use this issue to\nwrite files outside of the intended target directory. (CVE-2026-44171)\n\nIt was discovered that MariaDB\u0027s mysql_real_escape_string() function\nincorrectly handled the big5 character set. An attacker could possibly use\nthis issue to perform SQL injection attacks. (CVE-2026-44172)\n\nIt was discovered that MariaDB did not properly check the FILE privilege\nwhen the FROM clause of a SELECT ... INTO OUTFILE or SELECT ... INTO\nDUMPFILE statement contained only subqueries. An authenticated user could\npossibly use this issue to write files to unintended locations.\n(CVE-2026-44173)\n\nIt was discovered that MariaDB did not properly validate parameters\nsupplied by a joiner node during a State Snapshot Transfer using the rsync\nmethod. An attacker could possibly use this issue to execute arbitrary\nshell commands on the donor node. (CVE-2026-48163)\n\nIt was discovered that MariaDB allowed a high-privileged user to set\ncertain Galera system variables to values containing shell commands, which\nwere then executed by the server process. An authenticated user could\npossibly use this issue to execute arbitrary shell commands.\n(CVE-2026-48165)\n\nIt was discovered that MariaDB executed shell commands embedded in the name\nof a joiner node when wsrep_notify_cmd was enabled. A remote attacker could\npossibly use this issue to execute arbitrary shell commands.\n(CVE-2026-49261)",
  "id": "USN-8536-1",
  "modified": "2026-07-14T11:45:03Z",
  "published": "2026-07-14T11:45:03Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://ubuntu.com/security/notices/USN-8536-1"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2026-44168"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2026-44169"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2026-44171"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2026-44172"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2026-44173"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2026-48163"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2026-48165"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2026-49261"
    }
  ],
  "related": [],
  "schema_version": "1.7.0",
  "summary": "mariadb vulnerabilities",
  "upstream": [
    "UBUNTU-CVE-2026-44168",
    "UBUNTU-CVE-2026-44169",
    "UBUNTU-CVE-2026-44171",
    "UBUNTU-CVE-2026-44172",
    "UBUNTU-CVE-2026-44173",
    "UBUNTU-CVE-2026-48163",
    "UBUNTU-CVE-2026-48165",
    "UBUNTU-CVE-2026-49261"
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…