Heap buffer overflow in MariaDB JSON_SCHEMA_VALID()
CVE-2026-32710 is a heap-based buffer overflow in MariaDB Server’s JSON schema validation logic reachable via the JSON_SCHEMA_VALID() function. The provided content identifies the vulnerable code path as json_get_normalized_string in sql/json_schema_helper.cc. In the affected implementation, a local DYNAMIC_STRING is initialized with init_dynamic_string(&a_res, NULL, 0, 0), resulting in a default buffer capacity of 128 bytes. When processing JSON string values, the code copies je->value_len bytes into a_res.str using strncpy without ensuring the destination buffer is large enough. Crafted long string values, including crafted enum definitions stored in user variables, can therefore overflow the heap buffer. The issue affects MariaDB 11.4 before 11.4.10 and 11.8 before 11.8.6; the content also states it is fixed in 12.2.2.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.
This repository is a working exploit lab for CVE-2026-32710 targeting MariaDB 11.4.x, confirmed on 11.4.9. It is not a scanner or detector; it contains a full exploit chain. The main component is exploit.py, a standalone Python exploit that implements a minimal MySQL/MariaDB protocol client over raw TCP sockets and performs a two-stage attack. Stage 1 exploits a heap out-of-bounds write in JSON_SCHEMA_VALID() to corrupt user-variable metadata and achieve a two-hop arbitrary write into Security_context::master_access, turning a SELECT-only account into one with ALL PRIVILEGES WITH GRANT OPTION. It then persists the escalation with GRANT ALL so the privilege change survives the eventual session crash and restart. Stage 2 uses the elevated privileges to load a malicious UDF shared library into the MariaDB plugin directory and invoke sys_exec() to run arbitrary operating system commands as the mysql user. Repository structure is small and purpose-built: exploit.py is the primary exploit; raptor_udf.c is the malicious UDF source implementing sys_exec() via system(); Dockerfile builds a MariaDB 11.4.9 lab image, compiles the UDF, and weakens plugin_dir permissions for convenience; init.sql creates the initial lowpriv account with only SELECT on test.*; setup.sh automates building and launching the vulnerable Docker lab with SYS_PTRACE and port 3306 exposed; README.md documents the vulnerability, exploitation stages, constraints, and usage. The exploit’s main capability is privilege escalation followed by command execution. It targets MariaDB over the network using SQL queries sent to TCP/3306, but it also relies on local/container introspection in the provided lab to read /proc/1/mem and discover heap addresses needed for reliable exploitation. The README explicitly notes that the actual corruption and arbitrary-write chain are pure SQL over TCP, while the memory introspection is a lab-only substitute for a real info leak. Because the payload is functional but environment-specific and not integrated into a broader exploitation framework, the maturity is best classified as OPERATIONAL.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A heap buffer overflow in MariaDB's JSON_SCHEMA_VALID function that can be triggered by any authenticated user with a single SQL query, potentially enabling code execution or server crash.
An authenticated memory corruption vulnerability in MariaDB's JSON_SCHEMA_VALID() function that can cause a crash and may be convertible to remote code execution only under highly constrained conditions.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.