CVE-2026-44172
Description
MariaDB server's mysql_real_escape_string() mishandles big5 character set, allowing SQL injection via crafted multi-byte sequences despite escaping.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MariaDB server's mysql_real_escape_string() mishandles big5 character set, allowing SQL injection via crafted multi-byte sequences despite escaping.
Vulnerability
In MariaDB server versions 3.3.18 and 3.4.8, the mysql_real_escape_string() function incorrectly handles the big5 character set when processing user-supplied input. Specifically, certain multi-byte sequences can cause the function to misinterpret the input, allowing an attacker to bypass escaping. This issue occurs when the application uses the text protocol with the big5 charset and escapes user input with mysql_real_escape_string() before constructing SQL queries [1][2].
Exploitation
An attacker does not require direct database access but must be able to supply input to an application that uses the vulnerable escaping function with the big5 character set. The attacker crafts a malicious string containing a multi-byte sequence (e.g., \xa1' + 10 -- ) that, when escaped, produces output (e.g., \xa1\' + 10 -- ) where the escape character (\) is absorbed as part of the preceding multi-byte character, leaving the single quote unescaped and breaking out of the SQL string literal [1]. The attacker then appends SQL syntax to inject additional commands into the query.
Impact
Successful exploitation allows an attacker to perform SQL injection, potentially leading to unauthorized data access, modification, or deletion. The attacker may read sensitive data from the database, alter existing records, or escalate privileges depending on the database context and permissions of the application's database user [2].
Mitigation
The issue is patched in MariaDB server versions 3.3.19 and 3.4.9 [1]. Users unable to upgrade can apply workarounds: switch the application character set from big5 to gbk, or use prepared statements instead of interpolating escaped parameters into query strings [2].
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- osv-coords3 versionspkg:rpm/opensuse/mariadb&distro=openSUSE%20Tumbleweedpkg:rpm/suse/mariadb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP7pkg:rpm/suse/mariadb&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP7
< 11.8.7-1.1+ 2 more
- (no CPE)range: < 11.8.7-1.1
- (no CPE)range: < 11.8.8-150700.3.15.1
- (no CPE)range: < 11.8.8-150700.3.15.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"mysql_real_escape_string() fails to correctly identify multi-byte character boundaries for the big5 character set, allowing a single quote preceded by a big5 lead byte to bypass escaping."
Attack vector
An attacker supplies a crafted string containing a big5 lead byte (e.g. `\xa1`) followed by a single quote. The application, using the big5 character set, passes this input through `mysql_real_escape_string()` and then embeds the result in a SQL query via the text protocol. Because the escape function does not correctly handle multi-byte character boundaries for big5, the single quote is not properly escaped, allowing the attacker to break out of the string literal and inject arbitrary SQL [ref_id=1]. This is a classic multi-byte character SQL injection (akin to CWE-89).
Affected code
The bug is in `mysql_real_escape_string()` when the connection character set is `big5`. The test case in [ref_id=1] shows that the input `"\xa1' + 10 -- "` is expected to be escaped as `"\\xa1\\' + 10 -- "`, but the function fails to recognize that `\xa1` is the lead byte of a multi-byte big5 character, so the following `'` is not treated as part of the multi-byte sequence and is incorrectly escaped — or, conversely, the escaping logic misinterprets the byte sequence and produces an output that still allows the single quote to break out of the string literal.
What the fix does
The patch (not shown in the bundle, but referenced as fixed in versions 3.3.19 and 3.4.9) corrects the multi-byte character detection in `mysql_real_escape_string()` so that when the connection character set is big5, a lead byte like `\xa1` is recognized as starting a two-byte character, and the following byte (even if it is a single quote) is treated as a continuation byte rather than a string terminator. This prevents the escape function from producing output that can be exploited for SQL injection.
Preconditions
- configThe application must use the big5 character set for the database connection.
- inputThe application must take non-validated user input and escape it with mysql_real_escape_string() before embedding it in a SQL query via the text protocol.
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.