CVE-2026-48773
Undergoing Analysis Undergoing Analysis - In Progress

Heap Memory Corruption in ProxySQL

Vulnerability report for CVE-2026-48773, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-19

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description

ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. Versions 2.0.18 through 3.0.8 have a pre-authentication heap memory corruption vulnerability in the MySQL and PostgreSQL protocol first-read paths. A remote unauthenticated client can declare an oversized first packet length, and ProxySQL passes that attacker-controlled length directly to `recv()` while writing into a fixed 32 KB input queue. Version 3.0.9 patches the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-19
Last Modified
2026-06-22
Generated
2026-07-11
AI Q&A
2026-06-19
EPSS Evaluated
2026-07-10
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
sysown proxysql From 2.0.18 (inc) to 3.0.8 (inc)
sysown proxysql 3.0.9
sysown proxysql 3.1.9
sysown proxysql 4.0.9

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-48773 is a critical pre-authentication heap memory corruption vulnerability in ProxySQL versions 2.0.18 through 3.0.8. It affects the handling of the first packet in the MySQL and PostgreSQL protocols. A remote unauthenticated attacker can send an oversized first packet length, which ProxySQL uses directly in a recv() call to read data into a fixed 32 KB input queue without validating the packet size. This leads to a heap buffer overflow, causing memory corruption.

The vulnerability arises because ProxySQL reads the protocol header and then uses the declared packet length as the size for the recv() operation without checking if it fits within the queue's remaining capacity. This flaw can cause crashes and heap corruption in real-world deployments.

Impact Analysis

This vulnerability can have severe impacts including remote code execution, denial of service, and crashes. Since it is exploitable by a remote unauthenticated attacker with low complexity and no user interaction, it poses a high risk to the confidentiality, integrity, and availability of systems running vulnerable ProxySQL versions.

  • Remote code execution by an attacker.
  • Denial of service due to crashes or heap corruption.
  • Potential compromise of data confidentiality and integrity.
Detection Guidance

This vulnerability can be detected by monitoring network traffic to ProxySQL listener ports for MySQL (default port 6033) and PostgreSQL (default port 6134) for unusually large or malformed first packets that exceed the expected protocol limits.

Since the vulnerability involves an attacker sending an oversized first packet, you can use network packet capture tools like tcpdump or Wireshark to capture and analyze the initial packets sent to these ports.

  • Use tcpdump to capture packets on MySQL port 6033: tcpdump -i <interface> port 6033 -w proxysql_mysql_first_packet.pcap
  • Use tcpdump to capture packets on PostgreSQL port 6134: tcpdump -i <interface> port 6134 -w proxysql_pgsql_first_packet.pcap

After capturing, analyze the first packet length fields in the protocol headers to identify any packets declaring lengths larger than the expected maximum or larger than the 32 KB input queue size.

Additionally, monitoring ProxySQL logs or crash reports for heap corruption or crashes related to packet handling can help detect exploitation attempts.

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade ProxySQL to version 3.0.9 or later, where this vulnerability has been fixed.

Upgrading ensures that packet length validation is properly implemented, preventing oversized first packets from causing heap buffer overflows.

If upgrading immediately is not possible, consider restricting network access to ProxySQL listener ports (6033 for MySQL and 6134 for PostgreSQL) to trusted clients only, using firewall rules or network segmentation to reduce exposure.

Monitor ProxySQL logs and system stability closely for signs of exploitation attempts or crashes.

Compliance Impact

This vulnerability has a critical impact on confidentiality, integrity, and availability due to its nature as a pre-authentication heap memory corruption exploitable by a remote unauthenticated attacker.

Such impacts could potentially affect compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system availability.

However, the provided information does not explicitly describe how this vulnerability directly affects compliance with these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48773. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart