Details
-
Bug
-
Status: Open (View Workflow)
-
Minor
-
Resolution: Unresolved
-
11.8.6
-
None
-
None
-
OS: Rocky Linux 8.10 (VM on VMware ESXi)
Platform:
- Docker Engine running on Rocky Linux 8.10
MariaDB Versions Tested:
- MariaDB 11.8.6 (official Docker image)
- MariaDB 11.8.5 (official Docker image)
- MariaDB 10.3.39 (official Docker image)
Configuration:
- server_audit plugin enabled
- server_audit_logging = ON
- server_audit_output_type = FILE
- server_audit_events configured as:
- QUERY_DML
- QUERY_DDL
- QUERY_DCL (tested separately)
Test Context:
- All tests executed inside Docker containers
- Same host system and Docker environment used for all versions
- Behavior compared across versions under identical conditionsOS: Rocky Linux 8.10 (VM on VMware ESXi) Platform: - Docker Engine running on Rocky Linux 8.10 MariaDB Versions Tested: - MariaDB 11.8.6 (official Docker image) - MariaDB 11.8.5 (official Docker image) - MariaDB 10.3.39 (official Docker image) Configuration: - server_audit plugin enabled - server_audit_logging = ON - server_audit_output_type = FILE - server_audit_events configured as: - QUERY_DML - QUERY_DDL - QUERY_DCL (tested separately) Test Context: - All tests executed inside Docker containers - Same host system and Docker environment used for all versions - Behavior compared across versions under identical conditions
Description
Summary:
While reproducing CVE-2026-3494, unexpected audit logging omissions were observed in MariaDB 11.8.6
Description:
During validation of CVE-2026-3494, we performed comparative testing across MariaDB versions 10.3.39, 11.8.5, and 11.8.6 using the server_audit plugin.
The tests were conducted under identical conditions, with server_audit enabled and audit events configured using QUERY_DML/DDL/DCL filters.
# MariaDB 10.3.39 & 11.8.6 & 11.8.5
|
|
|
MariaDB [(none)]> install plugin server_audit soname 'server_audit.so';
|
Query OK, 0 rows affected (0.021 sec)
|
|
|
MariaDB [(none)]> set global server_audit_logging=ON;
|
Query OK, 0 rows affected (0.001 sec)
|
|
|
MariaDB [(none)]> set global server_audit_events='QUERY_DCL,QUERY_DDL,QUERY_DML';
|
Query OK, 0 rows affected (0.000 sec)
|
|
|
MariaDB [(none)]> set global server_audit_output_type=FILE;
|
Query OK, 0 rows affected (0.000 sec)
|
The following discrepancies were observed specifically in MariaDB 11.8.6:
1. Missing audit log for ERROR 1046 (No database selected)
MariaDB [(none)]> SELECT * FROM user;
|
ERROR 1046 (3D000): No database selected
|
|
|
MariaDB [(none)]> SELECT * FROM mysqql.user;
|
ERROR 1146 (42S02): Table 'mysqql.user' doesn't exist
|
# MariaDB 10.3.39 (Logged)
|
20260412 13:28:22,77f802a94157,root,localhost,53,79,QUERY,mysql,'SELECT * FROM user',1046 |
20260412 13:34:38,77f802a94157,root,localhost,53,80,QUERY,mysql,'select * from mysqql.user',1146 |
|
|
# MariaDB 11.8.6 (Not Logged<1046>)
|
20260412 13:34:38,67aec2205de2,root,localhost,10,82,QUERY,mysql,'select * from mysqql.user',1146 |
|
|
# MariaDB 11.8.5 (Logged)
|
20260412 13:34:38,90bb7eb5918d,root,localhost,9,79,QUERY,mysql,'select * from mysqql.user',1146 |
20260412 13:34:56,90bb7eb5918d,root,localhost,9,80,QUERY,mysql,'SELECT * FROM user',1046 |
2. PoC Test (multi-line SET PASSWORD with inline comment)
MariaDB [(none)]> SET PASSWORD
|
-> # I'm trying to test for CVE-2026-3494
|
-> FOR 'u01'@'localhost' = password('Test1234!');
|
Query OK, 0 rows affected (0.001 sec)
|
# MariaDB 10.3.39 (Logged)
|
20260412 14:08:05,77f802a94157,root,localhost,56,92,QUERY,mysql,'SET PASSWORD\n\nfor \'u01\'@\'localhost\' = PASSWORD(*****)',0 |
|
|
# MariaDB 11.8.6 (Not Logged)
|
|
|
# MariaDB 11.8.5 (Logged)
|
20260412 14:08:05,90bb7eb5918d,root,localhost,10,88,QUERY,mysql,'SET PASSWORD\n\nfor \'u01\'@\'localhost\' = PASSWORD(*****)',0 |
3. PoC Test (multi-line SELECT with comment)
MariaDB [(none)]> SELECT |
-> # CVE-2026-3494 Test #2
|
-> HOST, USER from mysql.user; |
+-----------+------+ |
| HOST | USER | |
+-----------+------+ |
| % | root |
|
| localhost | root |
|
| localhost | u01 |
|
+-----------+------+ |
3 rows in set (0.001 sec) |
# MariaDB 10.3.39 (Logged)
|
20260412 13:49:23,77f802a94157,root,localhost,54,85,QUERY,mysql,'SELECT \n\nHOST, USER from mysql.user',0 |
|
|
# MariaDB 11.8.6 (Logged)
|
20260412 13:49:23,67aec2205de2,root,localhost,10,86,QUERY,mysql,'SELECT \n\nHOST, USER from mysql.user',0 |
|
|
# MariaDB 11.8.5 (Logged)
|
20260412 13:49:23,90bb7eb5918d,root,localhost,9,83,QUERY,mysql,'SELECT \n\nHOST, USER from mysql.user',0 |
Analysis:
These results indicate that, in MariaDB 11.8.6, certain SQL statements—particularly those involving multi-line structures or specific parsing conditions—are not properly captured by the server_audit plugin.
According to the CVE description, affected versions (including 11.8.5 and earlier) may fail to log queries when prefixed with comment styles such as '--' or '#'.
However, in our testing, MariaDB 11.8.5 and 10.3.39 consistently logged queries even when comments were included.
In contrast, MariaDB 11.8.6 exhibited cases where certain statements (e.g., multi-line SET PASSWORD with inline comments) were successfully executed but not recorded in the audit log.
This behavior does not align with the expected improvement described in the CVE fix and may indicate an unintended change in audit logging behavior.
Expected / Clarification:
We would like to understand whether the observed behavior in MariaDB 11.8.6 is intended.
Specifically:
- Is the omission of audit logs for ERROR 1046 (No database selected) queries an intentional change?
- Is the absence of audit logs for successfully executed statements containing inline comments (e.g., multi-line SET PASSWORD) expected behavior?
Additionally, we would like clarification on whether these changes are related to the fix for CVE-2026-3494.
If this behavior is not intended, it may indicate an unintended change in audit logging, and we would appreciate confirmation on whether a fix is planned.