Fluid Attacks Database

Description

An issue was discovered in MariaDB Server before 11.4.10, 11.5.x through 11.8.x before 11.8.6, and 12.x before 12.2.2. If the caching_sha2_password authentication plugin is installed, and some user accounts are configured to use it, a large packet can crash the server because sha256_crypt_r uses alloca.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	mariadb	=1:11.8.2-1 \|\| =1:11.8.3-0+deb13u1 \|\| =1:11.8.3-1 \|\| =1:11.8.5-1 \|\| =1:11.8.5-2 \|\| =1:11.8.5-3 \|\| =1:11.8.5-3~exp1 \|\| =1:11.8.5-3~exp2 \|\| =1:11.8.5-3~exp3 \|\| =1:11.8.5-4 \|\| >=0 <1:11.8.6-0+deb13u1	1:11.8.6-0+deb13u1
debian 14	mariadb	=1:11.8.2-1 \|\| =1:11.8.3-1 \|\| =1:11.8.5-1 \|\| =1:11.8.5-2 \|\| =1:11.8.5-3 \|\| =1:11.8.5-3~exp1 \|\| =1:11.8.5-3~exp2 \|\| =1:11.8.5-3~exp3 \|\| =1:11.8.5-4 \|\| >=0 <1:11.8.6-1	1:11.8.6-1
rpm rhel7	mariadb	-	-
rpm rhel8	mariadb	-	-
rpm rhel9	mariadb	-	-
rpm rhel10	mariadb11.8	-	-
rpm rhel10	mariadb10.11	-	-

Aliases

1. CVE-2026-355492. NVD-2026-355493. OSV-DEBIAN-2026-355494. OSV-2026-355495. SECURITY-TRACKER-CVE-2026-35549

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.