CVE-2025-21491: 
MySQL vulnerability analysis and mitigation

A vulnerability has been identified in Oracle MySQL Server's InnoDB component (CVE-2025-21491). The vulnerability affects MySQL Server versions 8.0.40 and prior, 8.4.3 and prior, and 9.1.0 and prior. This security issue was disclosed on January 21, 2025, and received a CVSS 3.1 Base Score of 4.9, indicating a moderate severity level (Oracle CPU, NVD).

The vulnerability is characterized as easily exploitable and requires a high-privileged attacker with network access via multiple protocols to compromise MySQL Server. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H) indicates that the attack vector is network-based, with low attack complexity, requiring high privileges, and no user interaction. The scope is unchanged, with no impact on confidentiality or integrity, but high impact on availability (Oracle CPU).

Successful exploitation of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash, leading to a complete denial of service (DoS) of MySQL Server. The impact is primarily focused on system availability, with no direct effect on data confidentiality or integrity (NVD).

Oracle has released patches for this vulnerability in their January 2025 Critical Patch Update. Users are advised to upgrade to MySQL version 8.0.41 which contains fixes for this vulnerability. Ubuntu users can update to mysql-server-8.0 version 8.0.41 across various Ubuntu versions (20.04, 22.04, 24.04, and 24.10) (Ubuntu Notice).