CVE-2026-35549

MEDIUM NVD

CVSS Score 6.5

Severity MEDIUM

Published Apr 03, 2026

Vendor unknown

Description

An issue was discovered in MariaDB Server before 11.4.10, 11.5.x through 11.8.x before 11.8.6, and 12.x before 12.2.2. If the caching_sha2_password authentication plugin is installed, and some user accounts are configured to use it, a large packet can crash the server because sha256_crypt_r uses alloca.

References

https://jira.mariadb.org/browse/MDEV-38365