VYPR
advisoryPublished Jun 23, 2026· Updated Jul 2, 2026· 1 source

OpenLink Virtuoso-opensource: Eleven DoS Flaws Disclosed Together on June 23, 2026

Key findings • Eleven DoS vulnerabilities disclosed simultaneously for OpenLink Virtuoso-opensource 7.2.11. • All vulnerabilities are triggered by crafted SQL statements targeting various int…

Key findings

  • Eleven DoS vulnerabilities disclosed simultaneously for OpenLink Virtuoso-opensource 7.2.11.
  • All vulnerabilities are triggered by crafted SQL statements targeting various internal components.
  • The disclosed issues primarily impact the availability of the database system.
  • Version 7.2.11 is confirmed to be affected by all eleven CVEs.

On June 23, 2026, a batch of eleven Denial of Service (DoS) vulnerabilities were disclosed together, affecting OpenLink Virtuoso-opensource version 7.2.11. These vulnerabilities, all stemming from crafted SQL statements, could allow attackers to disrupt the availability of the database system. The disclosures were made on the same day, indicating a coordinated release of security information.

The vulnerabilities are distributed across various internal components of Virtuoso-opensource, including sqlo_place_dt_set (CVE-2025-61018), t_set_push (CVE-2025-61027), sqlo_tb_col_preds (CVE-2025-61022), sslr_qst_get (CVE-2025-61025), sqlo_key_part_best (CVE-2025-61019), st_compare (CVE-2025-61023), sqlo_untry (CVE-2025-61029), sqlo_try_in_loop (CVE-2025-61024), sqlo_natural_join_cond (CVE-2025-61021), sqlo_strip_in_join (CVE-2025-61020), and time_t_to_dt (CVE-2025-61028). Each of these flaws allows for a DoS condition when triggered by specifically crafted SQL queries.

The primary impact of these vulnerabilities is the potential for attackers to cause a Denial of Service, rendering the Virtuoso-opensource database unavailable to legitimate users. As these are DoS vulnerabilities, there is typically no direct data exfiltration or modification, but the disruption of service can have significant operational and financial consequences. No information regarding active exploitation in the wild or specific threat actor involvement was provided with this batch of CVEs.

All eleven vulnerabilities affect version 7.2.11 of OpenLink Virtuoso-opensource. The disclosures do not specify if a patch has been released, but it is highly probable that users will need to update to a newer version once available, or apply any vendor-provided patches to mitigate these risks. Users are advised to consult OpenLink's official security advisories for the most up-to-date information on affected versions and remediation steps.

This coordinated disclosure of multiple DoS vulnerabilities highlights a potential area of weakness in the handling of crafted SQL statements within Virtuoso-opensource 7.2.11. Database administrators and security teams should prioritize assessing their exposure to these vulnerabilities and implementing necessary updates or mitigations to ensure the continued availability and integrity of their systems. Further monitoring for vendor advisories and potential patches is recommended.

Synthesized by Vypr AI