This vulnerability in the InnoDB component of Oracle MySQL Server allows an attacker with high privileges and network access to cause a hang or repeated crash of the server, resulting in a denial of service. It affects multiple supported versions of MySQL Server from 8.0.0 up to 9.6.0. The CVSS vector indicates network attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, no impact on confidentiality or integrity, and high impact on availability. The vulnerability is documented in Oracle's April 2026 Critical Patch Update advisory, which addresses 481 security patches across many Oracle products including MySQL Server. The advisory strongly recommends applying the Critical Patch Update without delay but does not explicitly state if the patch for this specific vulnerability is available or included in the update.

Successful exploitation allows a high privileged attacker with network access to cause a hang or frequent crash of the MySQL Server, resulting in a complete denial of service. There is no impact on confidentiality or integrity of the data. No known exploits in the wild have been reported. The impact is limited to availability disruption.

Oracle's April 2026 Critical Patch Update advisory strongly recommends that customers apply the update promptly to address this and other vulnerabilities. Although the advisory does not explicitly confirm the availability of a specific patch for CVE-2026-22004, it is included in the list of vulnerabilities addressed by the April 2026 CPU. Customers should review the official Oracle Critical Patch Update documentation and apply the relevant patches for MySQL Server versions 8.0.0-8.0.45, 8.4.0-8.4.8, and 9.0.0-9.6.0 as soon as possible. Patch status is not explicitly confirmed in the advisory text provided; therefore, verify patch availability and installation instructions directly from Oracle's advisory page.