CVE-2010-3682

MySQL < 5.1.49 and < 5.0.92 - Authenticated Denial of Service via EXPLAIN with Crafted SELECT UNION ORDER BY

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2010-3682. PoCs published by Bjorn Munch.

AI-analyzed exploit summary This exploit demonstrates a denial-of-service vulnerability in MySQL versions prior to 5.1.49 by executing specific SQL queries that crash the database. The PoC involves creating tables and executing malformed UNION and ORDER BY queries with subqueries.

Description

Oracle MySQL 5.1 before 5.1.49 and 5.0 before 5.0.92 allows remote authenticated users to cause a denial of service (mysqld daemon crash) by using EXPLAIN with crafted "SELECT ... UNION ... ORDER BY (SELECT ... WHERE ...)" statements, which triggers a NULL pointer dereference in the Item_singlerow_subselect::store function.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Bjorn Munch · textdoslinux
https://www.exploit-db.com/exploits/34506

This exploit demonstrates a denial-of-service vulnerability in MySQL versions prior to 5.1.49 by executing specific SQL queries that crash the database. The PoC involves creating tables and executing malformed UNION and ORDER BY queries with subqueries.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: MySQL prior to 5.1.49
Auth required
Prerequisites: Access to a MySQL database with sufficient privileges to execute DDL and DML statements
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (25)

Core 25
Core References
Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2011//Jun/msg00000.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2011-0164.html
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1397-1
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1017-1
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2011:012
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2010:222
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2010:155
Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT4723
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/42875
Various Sources vendor-advisory x_refsource_turbo
http://www.turbolinux.co.jp/security/2011/TLSA-2011-3j.txt
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/0105
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/0170
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/0133
Various Sources x_refsource_confirm
http://dev.mysql.com/doc/refman/5.0/en/news-5-0-92.html
Various Sources x_refsource_confirm
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-49.html
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2011/dsa-2143
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/64684
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2011/0345
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/42599
Exploit, Patch x_refsource_confirm
http://bugs.mysql.com/bug.php?id=52711
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/42936
Exploit, Patch x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=628328
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2010-0825.html
Exploit, Patch mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2010/09/28/10

Scores

EPSS 0.1144
EPSS Percentile 95.5%

Details

Status published
Products (50)
mysql/mysql 5.1.23
mysql/mysql 5.1.31
mysql/mysql 5.1.32
mysql/mysql 5.1.34
mysql/mysql 5.1.37
mysql/mysql 5.0.0
mysql/mysql 5.0.1
mysql/mysql 5.0.2
mysql/mysql 5.0.10
mysql/mysql 5.0.15
... and 40 more
Published Jan 11, 2011
Tracked Since Feb 18, 2026