MariaDB JSON_SCHEMA_VALID() Function Vulnerability Leading to Crash and Potential Remote Code Execution

A heap-based buffer overflow vulnerability has been identified in the MariaDB server, specifically in versions 11.4 prior to 11.4.10, 11.8 prior to 11.8.6, and 12.1.2. This vulnerability allows an authenticated user to crash the server by exploiting a bug in the JSON_SCHEMA_VALID() function. Under certain conditions, which typically require precise control over memory layout achievable only in a lab environment, this crash could be manipulated to execute remote code.

Impact

Exploitation of this vulnerability causes a server crash, with the potential under specific conditions to lead to remote code execution.

Reproduction

The vulnerability can be reproduced by calling the JSON_SCHEMA_VALID() function with a crafted JSON schema that includes a long enum value. This can be done by selecting json_schema_valid with a schema that has an enum array containing a large number of elements or very large values, formatted to exceed typical parsing limits.

Remediation

Users can upgrade to MariaDB versions 11.4.10, 11.8.6, or 12.2.2 to address this vulnerability.