I investigated the contents of the patch provided in June 2026 for RDS MySQL 5.7 Extended Support extended until 2029
This page has been translated by machine translation. View original
Introduction
On June 17, 2026, AWS announced an extension of RDS MySQL 5.7 Extended Support through June 30, 2029. The previous end date was February 28, 2027, representing an extension of approximately two and a half years. The Year 3 pricing ($0.200/vCPU-hr) remains unchanged.
Prior to this extension announcement, on June 4, security patch 5.7.44-RDS.20260521 was released after entering Year 3. It includes 14 CVE fixes and 1 bug fix, confirming that Extended Support maintenance is functioning in practice. All CVEs are DoS-type (CVSS 4.9–6.5), and the bug fix addresses a memory leak during shutdown.
To understand what fixes are actually being provided, all 14 CVEs were reviewed using NVD and Oracle CPU April 2026.
Note that this article is based on publicly available information; no vulnerability reproduction or patch application verification was performed on actual systems.
Extended Support Additional Pricing Summary
The Extended Support additional charges for RDS MySQL 5.7 are as follows (US East (Ohio) region).
| Period | Date Range | Additional Charge (per vCPU-hr) |
|---|---|---|
| Year 1-2 | 2024/3/1 – 2026/2/28 | $0.100 |
| Year 3 | 2026/3/1 – 2029/6/30 | $0.200 |
Monthly Cost Estimate for Extended Support Additional Charges Only
Estimated for Single-AZ, 1 instance, at 730 hours/month.
| Instance Class | vCPU | Year 1-2 | Year 3 |
|---|---|---|---|
| db.t3.micro | 2 | $146/mo | $292/mo |
| db.r5.large | 2 | $146/mo | $292/mo |
| db.r5.2xlarge | 8 | $584/mo | $1,168/mo |
Since Extended Support additional charges are calculated based on the number of vCPUs, the amount is the same for instances with the same vCPU count regardless of their normal instance pricing. This is why db.t3.micro and db.r5.large show the same amount.
Also, Reserved Instance discounts do not apply to Extended Support charges.
CVE Investigation Results
Full List of All 14 CVEs
For all 14 CVEs, the CVSS v3.1 vector was verified using NVD, and component classification was organized by referencing Oracle CPU April 2026.
| CVE ID | Component | CVSS v3.1 | PR | Vector |
|---|---|---|---|---|
| CVE-2026-34270 | Group Replication Plugin | 6.5 | L | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| CVE-2026-34271 | Group Replication Plugin | 6.5 | L | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| CVE-2026-34272 | Optimizer | 6.5 | L | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| CVE-2026-22004 | InnoDB | 4.9 | H | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2026-34304 | InnoDB | 4.9 | H | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2026-35236 | InnoDB | 4.9 | H | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2026-35237 | InnoDB | 4.9 | H | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2026-35238 | InnoDB | 4.9 | H | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2026-21998 | Optimizer | 4.9 | H | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2026-22002 | Optimizer | 4.9 | H | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2026-22005 | Optimizer | 4.9 | H | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2026-34267 | Optimizer | 4.9 | H | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2026-34278 | Optimizer | 4.9 | H | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2026-35240 | Optimizer | 4.9 | H | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
All CVEs were disclosed in the Oracle Critical Patch Update April 2026.
Common Characteristics
The CVSS vector characteristics common to all 14 CVEs are as follows.
- Confidentiality (C): None — No direct impact on data leakage as evaluated by CVSS
- Integrity (I): None — No direct impact on data tampering as evaluated by CVSS
- Availability (A): High — May cause server hang or repeated crashes (complete DoS)
Based on publicly available information, all vulnerabilities are evaluated as DoS-type.
Distribution by Severity
| CVSS v3.1 Base Score | Required Privileges | Count |
|---|---|---|
| 6.5 (MEDIUM) | PR:L (authenticated low-privilege) | 3 |
| 4.9 (MEDIUM) | PR:H (high privilege) | 11 |
PR:L (low privilege) assumes a user with DB connection privileges, while PR:H (high privilege) assumes DBA-equivalent privileges.
Breakdown by Component
| Component | Count |
|---|---|
| Server: Optimizer | 7 |
| InnoDB | 5 |
| Server: Group Replication Plugin | 2 |
Optimizer and InnoDB account for 12 of the 14 issues, making up the vast majority.
Two CVEs related to Group Replication are included. However, since users do not directly use Group Replication in a standard RDS for MySQL configuration, the practical impact on RDS users is considered low.
Regarding the 3 CVEs with CVSS 6.5
The 3 CVEs with relatively higher scores among the 14 are exploitable by authenticated low-privilege users (PR:L).
- CVE-2026-34270, CVE-2026-34271 (Group Replication Plugin): May cause DoS in Group Replication processing. However, as noted above, the impact is low in standard RDS configurations.
- CVE-2026-34272 (Optimizer): May cause DoS in query optimization processing. This is a path reachable by low-privilege DB users through normal query execution, making it the highest practical risk among the three.
In environments where low-privilege DB users are widely provisioned, it is worth considering the impact of CVE-2026-34272 in particular.
Summary of Patch Application Considerations
Since all 14 CVEs are DoS-type (C:N/I:N/A:H) and data leakage or tampering risks are not evaluated in publicly available information, patch application decisions can be made based primarily on availability requirements.
Note that AV:N (Attack Vector: Network) in CVSS means "reachable via network" and does not mean the vulnerability is exploitable from the internet without authentication. In RDS, actual reachability depends on configuration factors such as VPC, Security Groups, and public accessibility settings.
The following environments are worth considering for earlier application.
- Systems with high availability requirements (DoS represents a sufficiently serious impact)
- Environments where low-privilege DB users are widely provisioned (3 CVEs with PR:L exist)
The actual timing of application will be determined in conjunction with maintenance window scheduling, restart impact, and application compatibility verification.
Summary
The 14 CVE fixes included in 5.7.44-RDS.20260521 are all evaluated as DoS-type (C:N/I:N/A:H) in CVSS. Please consider applying the patch based on your availability requirements and DB user privilege design. While the support period has been extended through 2029, upgrading to MySQL 8.0 or 8.4 LTS at an appropriate time is recommended.
