CVE-2026-44170

Publication date 12 June 2026

Last updated 11 July 2026


Ubuntu priority

Cvss 3 Severity Score

9.9 · Critical

Score breakdown

Description

MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB on WIndows with installed CONNECT engine and enabled REST support interpolated table HTTP attribute into the curl command line without proper sanitizing. This allows the user to execute shell commands on the server. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.

Read the notes from the security team

Status

Package Ubuntu Release Status
mariadb 26.04 LTS resolute
Not affected
25.10 questing Ignored end of life, was not-affected (windows only)
24.04 LTS noble
Not affected
22.04 LTS jammy Not in release
mariadb-10.1 26.04 LTS resolute Not in release
25.10 questing Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
18.04 LTS bionic
Not affected
mariadb-10.3 26.04 LTS resolute Not in release
25.10 questing Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Not in release
20.04 LTS focal
Not affected
mariadb-10.6 26.04 LTS resolute Not in release
25.10 questing Not in release
24.04 LTS noble Not in release
22.04 LTS jammy
Not affected
mariadb-10.0 26.04 LTS resolute Not in release
25.10 questing Not in release
24.04 LTS noble Not in release
22.04 LTS jammy Not in release

Notes


mdeslaur

This is a windows-specific issue

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
mariadb

Severity score breakdown

CVSS version:

Base score 6.3 · Medium

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Base score 9.9 · Critical

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H


Access our resources on patching vulnerabilities