PatchSiren cyber security CVE debrief
CVE-2021-46662 Festo Didactic SE CVE debrief
CVE-2021-46662 is a medium-severity availability issue in MariaDB through 10.5.9. According to the supplied CISA CSAF advisory for Festo Didactic SE MES PC, certain UPDATE statements combined with nested subqueries can crash set_var.cc, which can disrupt affected systems even without data exposure.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Festo Didactic SE MES PC operators, OT/ICS administrators, and any team responsible for MariaDB-based components in the affected MES PC stack. This matters most where local database access is available and service uptime is operationally important.
Technical summary
The vulnerability is described as a MariaDB application crash in set_var.cc caused by specific UPDATE statements that include a nested subquery. The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a local, low-privilege condition with high availability impact and no direct confidentiality or integrity impact in the scoring model. The CISA CSAF source maps the issue into Festo Didactic SE MES PC guidance and notes a replacement path: Factory Control Panel, which replaces XAMPP on MES PCs and includes fixes for these vulnerabilities.
Defensive priority
Medium. Prioritize if the affected MariaDB component is present in production MES PC deployments or if local users or application accounts can reach the database. Because the impact is service disruption rather than code execution, patching or replacement is still important in OT settings where downtime is costly.
Recommended defensive actions
- Inventory MES PC deployments and confirm whether the affected MariaDB/XAMPP-based stack is present.
- Deploy the current Factory Control Panel version referenced by Festo support, which the advisory says includes fixes for these vulnerabilities.
- Verify that any embedded MariaDB instance is no longer at or below the affected 10.5.9 baseline.
- Restrict local database access to the minimum required users and services.
- Test application queries in a staging environment before rollout to catch crash conditions and regressions.
- Follow CISA ICS recommended practices for segmentation, least privilege, backups, and recovery planning.
Evidence notes
The CVE description and severity are taken from the supplied record and CISA CSAF source item published on 2024-02-27, with a later CISA republication timestamp of 2026-01-27 used only as source-history context. The advisory text specifically states that MariaDB through 10.5.9 can crash set_var.cc via certain UPDATE statements with nested subqueries. The supplied enrichment does not include KEV listing or ransomware linkage.
Official resources
-
CVE-2021-46662 CVE record
CVE.org
-
CVE-2021-46662 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Published for defensive awareness using the CVE published date of 2024-02-27. The supplied corpus shows no KEV entry and no ransomware-campaign attribution for this issue.