PatchSiren cyber security CVE debrief
CVE-2021-46664 Festo Didactic SE CVE debrief
CVE-2021-46664 is a medium-severity availability issue described in the supplied advisory corpus as a MariaDB crash in sub_select_postjoin_aggr when aggr is NULL. In the CISA-republished Festo Didactic SE MES PC advisory context, the vendor recommends replacing the vulnerable XAMPP-based MES PC component with Factory Control Panel, which includes fixes. The supplied CVSS vector indicates a local, low-privilege impact with no confidentiality or integrity effect and a high availability impact.
- Vendor
- Festo Didactic SE
- Product
- MES PC
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-27
- Original CVE updated
- 2026-01-27
- Advisory published
- 2024-02-27
- Advisory updated
- 2026-01-27
Who should care
Organizations running Festo Didactic SE MES PC deployments, especially OT/industrial support teams, system administrators, and anyone maintaining bundled MariaDB/XAMPP components on those systems.
Technical summary
The supplied source describes a crash condition in MariaDB through 10.5.9 involving sub_select_postjoin_aggr and a NULL aggr value. The associated CVSS 3.1 vector in the corpus is AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a local issue that can disrupt service availability but does not indicate confidentiality or integrity compromise. In the advisory context, this issue is tied to Festo Didactic SE MES PC, with remediation centered on moving to the vendor-provided Factory Control Panel replacement.
Defensive priority
Medium — prioritize remediation for exposed MES PC installations because the issue can stop service, but the supplied data indicates local access and no evidence of code execution or remote compromise.
Recommended defensive actions
- Confirm whether any MES PC deployments are using the affected XAMPP/MariaDB component set referenced in the advisory.
- Obtain the current Factory Control Panel release from Festo technical support and plan migration from the vulnerable component.
- Validate local access controls and least-privilege settings on systems that host the affected software.
- Test service restart and monitoring procedures so a crash event is detected and recovered quickly.
- Track the Festo/CISA advisory references for revisions and verify the installed replacement version matches the fixed release.
Evidence notes
Primary evidence comes from the supplied CISA CSAF source item for ICSA-26-027-02, which republishes the Festo Didactic SE MES PC advisory. The corpus description states: 'MariaDB through 10.5.9 allows an application crash in sub_select_postjoin_aggr for a NULL value of aggr.' The remediation entry says Festo Didactic has released Factory Control Panel as a replacement for XAMPP on its MES PCs and that the current version includes fixes. The supplied timeline shows initial publication on 2024-02-27 and a later CISA republication on 2026-01-27; the publication date is used here as the advisory date. No KEV listing is present in the supplied data.
Official resources
-
CVE-2021-46664 CVE record
CVE.org
-
CVE-2021-46664 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the supplied corpus on 2024-02-27; later source republication occurred on 2026-01-27. No Known Exploited Vulnerabilities entry is included in the provided data.