External risk intelligence

ProxySQL Heap Memory Corruption Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-48773

ProxySQL functions as a database proxy designed to sit between application servers and database backends. While it typically resides within internal network segments to route traffic, it is occasionally exposed to the public internet in specific cloud or distributed architecture deployments to facilitate remote database connectivity or cross-data-center communication.

Out-of-bounds Write

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

ProxySQL, a critical component for managing database traffic, has a vulnerability that could allow unauthenticated remote attackers to corrupt memory. This issue affects how ProxySQL handles initial network packets for both MySQL and PostgreSQL, potentially leading to significant disruptions. The main concern is confirming whether our environment uses the affected versions of ProxySQL and if it's exposed in a way that malicious actors could exploit.

  • ProxySQL can be remotely exploited.
  • It protects database connections from the outside.
  • Confirm if our systems are affected.

Attack Path

How an attacker could exploit the issue

An attacker can remotely target ProxySQL without authentication by sending a specially crafted, oversized network packet. This packet exploits a vulnerability in how ProxySQL handles initial connections for MySQL and PostgreSQL protocols. By sending a packet with an exaggerated length, the attacker can cause a memory corruption issue within ProxySQL's fixed-size input buffer, potentially leading to a crash or other adverse effects.

  • Unauthenticated remote access required.
  • Oversized initial packet triggers memory corruption.
  • Leads to potential denial of service or control.

Live Threat

Current exploitation, exposure, and threat context

A pre-authentication heap memory corruption vulnerability in ProxySQL could allow an unauthenticated remote attacker to cause a denial of service or potentially execute arbitrary code. This could happen when ProxySQL processes an oversized first packet length from a client, leading to memory corruption within the proxy's input queue.

  • Proxy memory and service availability.
  • Processing oversized client packets.
  • Service disruption or code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

The criticality of this pre-authentication heap memory corruption vulnerability in ProxySQL necessitates immediate action by teams responsible for database infrastructure and application delivery. The first practical step is to identify all instances of affected ProxySQL versions, determine their exposure (internal or external), and assess their business impact to prioritize remediation efforts, involving the relevant application or database owners.

  • Database and platform teams own remediation.
  • Verify ProxySQL network exposure and criticality.
  • Plan and execute version 3.0.9 upgrade.

Supplementary metadata

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is ProxySQL and why is it used?

ProxySQL is a high-performance database proxy that acts as an intermediary between application servers and database backends like MySQL or PostgreSQL. It is used to improve database efficiency by managing connection pooling, load balancing, and query routing, ensuring that traffic is directed to the appropriate database node without requiring changes to the application code itself.

What does heap memory corruption mean for CVE-2026-48773?

This vulnerability is classified as CWE-787, or Out-of-bounds Write. It means that ProxySQL fails to properly check the size of incoming data packets. When a connection is first established, the proxy expects data of a certain size but receives a much larger packet, causing it to write that data into memory areas beyond its allotted 32 KB buffer. This corruption can overwrite critical information, potentially causing the service to crash or behave in unintended ways.

How can an attacker trigger this vulnerability?

An attacker triggers this flaw by sending a specially crafted, oversized network packet to a vulnerable ProxySQL instance during the initial connection handshake. It does not require any credentials or previous authentication. If the packet length declaration exceeds the expected size, the proxy blindly accepts it into its buffer, causing the memory error. Normal, correctly formatted traffic that follows the MySQL or PostgreSQL protocol specifications does not trigger this issue.

Is my ProxySQL deployment at risk?

Risk depends on your network architecture. According to Halo Surface Signal, while ProxySQL is often kept within internal network segments, it is sometimes exposed to the public internet in cloud or distributed environments to support remote database connectivity. Systems exposed to the internet are at the highest risk, as they are reachable by unauthorized remote actors. You should verify whether your specific ProxySQL instances are accessible from outside your private network.

How do I secure my environment against this CVE?

The primary response is to upgrade your ProxySQL software to version 3.0.9 or later, which contains the fix for this memory corruption issue. Begin by auditing your infrastructure to identify all running versions of ProxySQL. Prioritize instances that are exposed to the network, and coordinate with your database and platform teams to schedule the update, as this will require a service restart to implement the patch.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished