CVE-2024-32886

Vitess vulnerable to infinite memory consumption and vtgate crash

Description

Vitess is a database clustering system for horizontal scaling of MySQL. When executing the following simple query, the `vtgate` will go into an endless loop that also keeps consuming memory and eventually will run out of memory. This vulnerability is fixed in 19.0.4, 18.0.5, and 17.0.7.

Category

4.9
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.06%
Affected: vitessio vitess
Published at:
Updated at:

References

Link Tags
https://github.com/vitessio/vitess/security/advisories/GHSA-649x-hxfx-57j2
https://github.com/vitessio/vitess/commit/2fd5ba1dbf6e9b32fdfdaf869d130066b1b5c0df
https://github.com/vitessio/vitess/commit/9df4b66550e46b5d7079e21ed0e1b0f49f92b055
https://github.com/vitessio/vitess/commit/c46dc5b6a4329a10589ca928392218d96031ac8d
https://github.com/vitessio/vitess/commit/d438adf7e34a6cf00fe441db80842ec669a99202
https://github.com/vitessio/vitess/blob/8f6cfaaa643a08dc111395a75a2d250ee746cfa8/go/mysql/collations/charset/convert.go#L73-L79
https://github.com/vitessio/vitess/blob/8f6cfaaa643a08dc111395a75a2d250ee746cfa8/go/mysql/collations/charset/unicode/utf16.go#L69-L71

Frequently Asked Questions

What is the severity of CVE-2024-32886?
CVE-2024-32886 has been scored as a medium severity vulnerability.
How to fix CVE-2024-32886?
To fix CVE-2024-32886, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-32886 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-32886 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-32886?
CVE-2024-32886 affects vitessio vitess.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.