A heap buffer overflow in MariaDB’s JSON_SCHEMA_VALID() function went unnoticed for years — until AI-assisted code analysis flagged it earlier this year. The flaw, now tracked as CVE-2026-32710, was disclosed on March 19, 2026, and patches landed the same day. If your server runs MariaDB 11.4.x or 11.8.x and you haven’t applied the update yet, this is the one to prioritise this week.
What the Bug Actually Does
The problem lives in json_get_normalized_string() inside sql/json_schema_helper.cc. The function allocates a fixed 128-byte heap buffer and then copies a JSON string value into it using strncpy — without first checking whether the value fits. If an attacker crafts a JSON schema with a string field longer than that buffer, the heap overflows.
In the crash-only scenario, the database server aborts, which is already bad enough on a production machine. Researchers at ZeroDay.cloud published a deeper analysis showing that under controlled conditions the overflow can be used to corrupt internal session metadata, potentially escalating an authenticated user’s connection to superuser level and from there to arbitrary OS command execution. The exploit chain requires authenticated SQL access — so it is not remotely exploitable without credentials — but on shared hosting environments where many users hold database-level credentials, that bar is lower than it sounds.
The fix replaces strncpy with dynstr_set(), which resizes the buffer dynamically to accommodate the input. Unglamorous, one-line fix; the kind that makes you wonder how many similar patterns are hiding elsewhere in codebases that have been around since the mid-2000s.
The AI Angle
CSO Online reported that this class of bug — in both MariaDB and a companion PostgreSQL flaw — was surfaced by AI-assisted analysis rather than traditional fuzzing or manual review. The finding fits a broader pattern: AI tools are increasingly effective at catching the kind of boundary-condition mistakes that human reviewers skim past after the hundredth similar function. Whether that’s reassuring or unsettling depends on how you feel about the backlog of old C code that hasn’t been subjected to the same treatment yet.
Which Versions Are Affected
CVE-2026-32710 affects:
- MariaDB 11.4.x — all releases before 11.4.10
- MariaDB 11.8.x — all releases before 11.8.6
Patched releases are 11.4.10, 11.8.6, and 12.2.2. The MariaDB project does not list the 10.6 or 10.11 long-term-support branches as affected by this specific CVE, though those branches carry other recent fixes (CVE-2026-21968, patched in 10.11.15 and 10.6.24) and should be kept current regardless.
Patching
On Debian/Ubuntu with the MariaDB repository:
apt update && apt install mariadb-server
mariadb --version
On AlmaLinux/Rocky/RHEL:
dnf update mariadb-server
mariadb --version
After the upgrade, confirm the version string shows 11.4.10, 11.8.6, or later. A service restart is required for the new binary to take effect:
systemctl restart mariadb
There is no known workaround other than upgrading. Disabling JSON schema validation at the application level is not a practical mitigation for a shared environment.
What This Means for kalfaoglu.net Customers
Shared hosting plans on our platform run MariaDB for all PHP-based applications — WordPress, Joomla, WooCommerce, and so on. We apply security patches to the database layer during scheduled maintenance windows, so if your hosting account is on our infrastructure, you don’t need to do anything. If you are running a VPS or dedicated server and manage your own MariaDB installation, check your version now and upgrade if you are on an affected 11.4.x or 11.8.x release.
If you are on an older 10.x series — which is still common on servers provisioned before 2024 — check the MariaDB security CVE page to see which advisories apply to your specific branch. Staying one or two minor versions behind is a common pattern that quietly accumulates risk.
The broader takeaway here is not specific to MariaDB: the combination of AI-assisted code review and legacy C codebases is going to keep producing surprises like this for a while. The sensible response is the boring one — keep your packages current and subscribe to the relevant security announce lists so surprises arrive as notifications rather than incidents.
Sources: NVD · ZeroDay.cloud deep dive · Security Online · CSO Online · Security Boulevard · SentinelOne CVE DB