CVE-2026-32710
Published: 20 March 2026
Summary
CVE-2026-32710 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Mariadb Mariadb. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 46.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-32710 is a heap-based buffer overflow vulnerability (CWE-122) in the JSON_SCHEMA_VALID() function of MariaDB server, a community-developed fork of MySQL server. It affects MariaDB versions 11.4 prior to 11.4.10 and 11.8 prior to 11.8.6. An authenticated user can trigger the issue, leading to a server crash. The vulnerability carries a CVSS v3.1 base score of 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H), reflecting high impact potential despite elevated attack complexity.
An attacker with low-privilege authenticated access over the network can exploit this vulnerability by invoking the flawed JSON_SCHEMA_VALID() function, causing a denial-of-service via server crash. Under specific conditions requiring precise control over memory layout—typically feasible only in controlled lab environments—the crash could potentially escalate to remote code execution, granting high confidentiality, integrity, and availability impacts with a scope change.
MariaDB has addressed the issue in versions 11.4.10, 11.8.6, and 12.2.2. Official advisories, including the GitHub Security Advisory at https://github.com/MariaDB/server/security/advisories/GHSA-4rj5-2227-9wgc and the Jira ticket at https://jira.mariadb.org/browse/MDEV-38356, recommend upgrading to these patched releases as the primary mitigation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13764
Vulnerability details
MariaDB server is a community developed fork of MySQL server. An authenticated user can crash MariaDB versions 11.4 before 11.4.10 and 11.8 before 11.8.6 via a bug in JSON_SCHEMA_VALID() function. Under certain conditions it might be possible to turn the…
more
crash into a remote code execution. These conditions require tight control over memory layout which is generally only attainable in a lab environment. This issue is fixed in MariaDB 11.4.10, MariaDB 11.8.6, and MariaDB 12.2.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated remote exploitation of heap buffer overflow in MariaDB server enables DoS via crash (T1499.004), potential RCE for privilege escalation (T1068), via remote service exploitation (T1210).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely remediation of known flaws like this heap buffer overflow via vendor patches such as MariaDB 11.4.10, 11.8.6, or 12.2.2.
Implements memory safeguards like ASLR and stack canaries to protect against heap-based buffer overflow exploitation leading to crashes or potential RCE.
Requires validation of inputs to functions like JSON_SCHEMA_VALID to block malformed data that triggers the buffer overflow.