CVE-2016-5541 Oracle CVE debrief

Who should care

Operators and administrators of Oracle MySQL Cluster deployments, especially those exposing NDBAPI-related services to wider networks. Security teams responsible for database patching, segmentation, and monitoring should prioritize checking whether affected versions are in use.

Technical summary

The NVD record rates this issue CVSS v3.0 4.8 with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L. The supplied description says the flaw is network reachable, requires no privileges or user interaction, and can impact integrity and availability. NVD lists the weakness as NVD-CWE-noinfo, so the publicly supplied metadata does not provide a more specific CWE classification.

Defensive priority

Medium priority. The issue is remotely reachable and can affect data integrity and service availability, but NVD rates exploitation complexity as high and the vulnerability is not listed as KEV in the supplied enrichment.

Recommended defensive actions

• Inventory Oracle MySQL Cluster deployments and confirm whether any instance is at or below 7.2.26, 7.3.14, or 7.4.12.
• Apply Oracle's January 2017 CPU or a later supported release that moves beyond the affected version ranges.
• Restrict network access to MySQL Cluster and NDBAPI-related services to trusted management and application hosts only.
• Monitor for unexpected data modifications and partial service degradation on affected clusters.
• Validate backups, rollback procedures, and cluster health after patching or version changes.

Evidence notes

The supplied NVD record published on 2017-01-27 states the affected product, version bounds, and CVSS vector. Oracle's January 2017 CPU is listed by NVD as the vendor patch reference. The NVD record was modified on 2026-05-13, which is a metadata update and not the vulnerability's disclosure date. No KEV enrichment was supplied for this CVE.

Official resources