Bug 2496631 - CVE-2026-44172 mariadb-connector-c: MariaDB server: SQL injection vulnerability via improper handling of big5 character set with mysql_real_escape_string() [fedora-all]
Summary: CVE-2026-44172 mariadb-connector-c: MariaDB server: SQL injection vulnerabili...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: mariadb-connector-c
Version: rawhide
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Michal Schorm
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: {"flaws": ["a0312658-ec3c-47fd-96cf-8...
Depends On:
Blocks: CVE-2026-44172
TreeView+ depends on / blocked
 
Reported: 2026-07-02 17:20 UTC by Mauro Matteo Cascella
Modified: 2026-07-02 17:20 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2026-07-02 17:20:45 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

MariaDB server is a community developed fork of MySQL server. In versions 3.3.18 and 3.4.8, an application that was taking non-validated user input, escaping it with mysql_real_escape_string() and sending it to the database using text protocol and big5 character set was vulnerable to SQL injections, even though mysql_real_escape_string() was supposed to prevent them. This issue has been patched in versions 3.3.19 and 3.4.9.


Note You need to log in before you can comment on or make changes to this bug.