NCSC‑2026‑0032 CVEs affecting PXC 8.4.7‑7.1

MySQL & MariaDB Other MySQL® Questions
,
1

Hi Percona team,

We are currently running Percona XtraDB Cluster 8.4.7‑7.1 with the Percona Operator 1.19.0.
This version is based on Percona Server for MySQL 8.4.7, which itself is based on Oracle MySQL 8.4.7.

According to the NCSC‑2026‑0032 advisory, the following MySQL CVEs affect MySQL versions up to 8.4.7:

  • CVE‑2026‑21968 – Optimizer DoS via specially crafted queries
  • CVE‑2026‑21949 – Optimizer server crash
  • CVE‑2026‑21948 – Optimizer DoS
  • CVE‑2026‑21941 – Optimizer crash/hang
  • CVE‑2026‑21936 – InnoDB Denial of Service
  • CVE‑2026‑21964 – Thread Pool crash/hang
  • CVE‑2025‑6965 – packaging / dependency issue

My Questions are:

  1. Is there a planned release of Percona XtraDB Cluster 8.4.x that includes upstream fixes for these CVEs?
  2. Are there any recommended mitigations we can apply in the meantime to reduce risk?

Thank you

2

Percona Server for MySQL 8.4.8-8.1 includes fixes for all the CVEs you listed except CVE-2025-6965.

CVE-2025-6965 is a vulnerability in the SQLite database engine, specifically affecting SQLite versions prior to 3.50.2. Since Percona Server for MySQL does not use or embed SQLite in its server codebase, this vulnerability does not impact Percona Server.

Therefore:

  • CVE-2026-21936, CVE-2026-21941, CVE-2026-21948, CVE‑2026‑21949, CVE-2026-21964, and CVE-2026-21968 are addressed in Percona Server for MySQL 8.4.8-8.1.
  • CVE-2025-6965 is not applicable, as it pertains exclusively to SQLite and has no impact on Percona Server.