CVE-2026-44172
Received Received - Intake
MariaDB Server SQL Injection via Big5 Character Set

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
MariaDB server is a community developed fork of MySQL server. In versions 3.3.18 and 3.4.8, an application that was taking non-validated user input, escaping it with mysql_real_escape_string() and sending it to the database using text protocol and big5 character set was vulnerable to SQL injections, even though mysql_real_escape_string() was supposed to prevent them. This issue has been patched in versions 3.3.19 and 3.4.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-44172
EUVD
EUVD-2026-36517
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
mariadb mariadb 3.3.18
mariadb mariadb 3.4.8
mariadb mariadb 3.3.19
mariadb mariadb 3.4.9
mariadb libmariadb 3.3
mariadb libmariadb 3.4
mariadb connector_c 3.3
mariadb connector_c 3.4
mariadb mariadb to 3.3.19 (exc)
mariadb mariadb to 3.4.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-44172 vulnerability affects the mysql_real_escape_string() function in MariaDB when handling the big5 character set.

Applications that use this function to escape non-validated user input before sending it to a database with the big5 character set remain vulnerable to SQL injection attacks because the function fails to properly neutralize special SQL elements in big5-encoded input.

This means that despite the intended purpose of mysql_real_escape_string() to prevent SQL injection, certain big5 character sequences are not correctly escaped, allowing attackers to inject malicious SQL commands.

The vulnerability was patched in MariaDB versions 3.3.19 and 3.4.9.

Impact Analysis

This vulnerability can allow attackers to perform SQL injection attacks on applications using MariaDB with the big5 character set and relying on mysql_real_escape_string() for input sanitization.

SQL injection can lead to unauthorized access to or manipulation of the database, including data leakage, data corruption, or unauthorized administrative actions.

Such attacks can compromise the integrity, confidentiality, and availability of your data and systems.

Detection Guidance

This vulnerability arises from improper escaping of user input using mysql_real_escape_string() with the big5 character set, leading to potential SQL injection.

To detect this vulnerability on your system, you can check the version of MariaDB or MariaDB Connector/C you are running. Versions 3.3.18 and 3.4.8 are vulnerable, while versions 3.3.19 and 3.4.9 contain the fix.

You can run commands to identify the installed version, for example:

  • For MariaDB server: `mysql --version` or `mariadb --version`
  • For MariaDB Connector/C library: check package manager or library version, e.g., `dpkg -l | grep mariadb` on Debian-based systems or `rpm -qa | grep mariadb` on RedHat-based systems.

Additionally, to detect potential exploitation attempts, monitor database logs for suspicious SQL queries containing unusual big5 character sequences or unexpected SQL syntax that bypasses escaping.

Since the vulnerability is related to SQL injection, using SQL injection detection tools or web application firewalls (WAFs) that inspect queries for injection patterns may help identify attempts.

Mitigation Strategies

The primary mitigation is to upgrade MariaDB or MariaDB Connector/C to versions 3.3.19 or 3.4.9 or later, where the vulnerability has been patched.

If upgrading immediately is not possible, consider the following temporary workarounds:

  • Avoid using the big5 character set when escaping user input with mysql_real_escape_string(). Switching to the gbk character set can mitigate the issue temporarily.
  • Use prepared statements with parameterized queries instead of manually escaping parameters in SQL queries. This approach prevents SQL injection more reliably.

Also, review and sanitize all user inputs rigorously and monitor for suspicious activity to reduce risk until a full patch can be applied.

Compliance Impact

The vulnerability in MariaDB's mysql_real_escape_string() function allows SQL injection attacks when using the big5 character set, which can lead to unauthorized access or manipulation of sensitive data stored in the database.

Such unauthorized access or data breaches could potentially violate common data protection standards and regulations like GDPR and HIPAA, which require organizations to protect personal and sensitive information from unauthorized access and ensure data integrity.

Therefore, if exploited, this vulnerability could negatively impact compliance with these regulations by exposing sensitive data or allowing unauthorized data manipulation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44172. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart