{"id":"CVE-2016-6663","details":"Race condition in Oracle MySQL before 5.5.52, 5.6.x before 5.6.33, 5.7.x before 5.7.15, and 8.x before 8.0.1; MariaDB before 5.5.52, 10.0.x before 10.0.28, and 10.1.x before 10.1.18; Percona Server before 5.5.51-38.2, 5.6.x before 5.6.32-78-1, and 5.7.x before 5.7.14-8; and Percona XtraDB Cluster before 5.5.41-37.0, 5.6.x before 5.6.32-25.17, and 5.7.x before 5.7.14-26.17 allows local users with certain permissions to gain privileges by leveraging use of my_copystat by REPAIR TABLE to repair a MyISAM table.","modified":"2026-04-11T05:00:40.769649Z","published":"2016-12-13T21:59:00.160Z","related":["CGA-7v79-fv85-53wm","MGASA-2016-0371","SUSE-RU-2023:3956-1","SUSE-RU-2023:4991-1","SUSE-SU-2016:2932-1","SUSE-SU-2016:2933-1"],"references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/93614"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2131.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2749.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/92911"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2130.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2595.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2017-0184.html"},{"type":"ADVISORY","url":"https://mariadb.com/kb/en/mariadb/mariadb-10028-release-notes/"},{"type":"ADVISORY","url":"https://mariadb.com/kb/en/mariadb/mariadb-5552-release-notes/"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2016/Nov/4"},{"type":"ADVISORY","url":"https://mariadb.com/kb/en/mariadb/mariadb-10118-release-notes/"},{"type":"ADVISORY","url":"https://www.percona.com/blog/2016/11/02/percona-responds-to-cve-2016-6663-and-cve-2016-6664/"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2927.html"},{"type":"ADVISORY","url":"http://rhn.redhat.com/errata/RHSA-2016-2928.html"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2016/10/25/4"},{"type":"REPORT","url":"https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-52.html"},{"type":"REPORT","url":"https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-33.html"},{"type":"REPORT","url":"https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-15.html"},{"type":"REPORT","url":"https://dev.mysql.com/doc/relnotes/mysql/8.0/en/news-8-0-1.html"},{"type":"FIX","url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"},{"type":"FIX","url":"https://github.com/MariaDB/server/commit/347eeefbfc658c8531878218487d729f4e020805"},{"type":"FIX","url":"https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291"},{"type":"EVIDENCE","url":"https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html"},{"type":"EVIDENCE","url":"https://www.exploit-db.com/exploits/40678/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mariadb/server","events":[{"introduced":"776555af021e917ce0d6235386b43ae59fdd5161"},{"fixed":"c7e1c89070e34e13cb4a3e947021b91fb211959a"},{"introduced":"c235de12ae3723b96944337bd89ad9cc87f21d8f"},{"fixed":"6925689ca829901567e9503fd4fdce443f9a7d53"},{"fixed":"347eeefbfc658c8531878218487d729f4e020805"}],"database_specific":{"versions":[{"introduced":"10.0.0"},{"fixed":"10.0.28"},{"introduced":"10.1.0"},{"fixed":"10.1.18"}]}},{"type":"GIT","repo":"https://github.com/mysql/mysql-server","events":[{"introduced":"54df0057e18d8c82c23fbd4e0bf5b5dc2e762955"},{"last_affected":"754e7eff2872995e2b6e62f9da7448587a411c7b"},{"introduced":"0"},{"last_affected":"1235719370ff0a1e09e43c6eb825128d8caed647"},{"introduced":"0"},{"last_affected":"71f48ab393bce80a59e5a2e498cd1f46f6b43f9a"},{"introduced":"863a73b80b83801a14b416006e64cf892837a657"},{"fixed":"754e7eff2872995e2b6e62f9da7448587a411c7b"},{"introduced":"0"},{"last_affected":"270fd3411e3d671a73ed9725940a30080f59ce6d"},{"fixed":"4e5473862e6852b0f3802b0cd0c6fa10b5253291"}],"database_specific":{"versions":[{"introduced":"5.5.0"},{"last_affected":"5.5.52"},{"introduced":"5.6.0"},{"last_affected":"5.6.33"},{"introduced":"5.7.0"},{"last_affected":"5.7.15"},{"introduced":"5.5.20"},{"fixed":"5.5.52"},{"introduced":"0"},{"last_affected":"8.0"}]}},{"type":"GIT","repo":"https://github.com/percona/percona-server","events":[{"introduced":"ba312212c98fb993434cc7420950102ecca7793d"},{"fixed":"6a9ff9a10b3ba41710a735cbff0f1d89d0dc0219"},{"introduced":"0"},{"fixed":"4c779b72b4804ad04266bf8abc9e787034698a20"},{"introduced":"0"},{"fixed":"1f84ccd54525a4a513a12a2884f12a7d31a85867"},{"introduced":"ba312212c98fb993434cc7420950102ecca7793d"},{"fixed":"b8714facc739ac4ea9eb90d2b3d348ef678ae9a2"}],"database_specific":{"versions":[{"introduced":"5.5"},{"fixed":"5.5.51-38.2"},{"introduced":"5.6"},{"fixed":"5.6.32-78.1"},{"introduced":"5.7"},{"fixed":"5.7.14-8"},{"introduced":"5.5"},{"fixed":"5.5.41-37.0"}]}},{"type":"GIT","repo":"https://github.com/percona/percona-xtradb-cluster","events":[{"introduced":"0"},{"fixed":"0ca1798609a5b29b30da520de96dfa7a7f8afaac"},{"introduced":"0"},{"fixed":"6a03453bccf54324059a4d6beb39f2d735c37ad6"}],"database_specific":{"versions":[{"introduced":"5.6"},{"fixed":"5.6.32-25.17"},{"introduced":"5.7"},{"fixed":"5.7.14-26.17"}]}}],"versions":["Percona-Server-5.5.34-32.0","Percona-Server-5.5.35-33.0","Percona-Server-5.5.51-38.1","Percona-Server-5.6.14-62.0","Percona-Server-5.6.15-63.0","Percona-Server-5.6.22-72.0","Percona-Server-5.6.32-78.0","Percona-Server-5.6.5-60.0","Percona-Server-5.7.14-7","Percona-XtraDB-Cluster-5.6.14-25.1","Percona-XtraDB-Cluster-5.6.15-25.2","Percona-XtraDB-Cluster-5.6.15-25.3","Percona-XtraDB-Cluster-5.6.15-25.4","Percona-XtraDB-Cluster-5.6.15-25.5","Percona-XtraDB-Cluster-5.6.19-25.6","Percona-XtraDB-Cluster-5.6.20-25.7","Percona-XtraDB-Cluster-5.6.24-25.11","clone-5.1.0-build","clone-5.1.31-pv-0.2.0-build","clone-5.1.4-build","clone-5.4.0-build","clone-5.6.3-m5-build","clone-5.6.3-m6-build","last-PS-5.5-as-patches","mariadb-10.1.0","mariadb-10.1.10","mariadb-10.1.11","mariadb-10.1.12","mariadb-10.1.13","mariadb-10.1.14","mariadb-10.1.15","mariadb-10.1.16","mariadb-10.1.17","mariadb-10.1.2","mariadb-10.1.3","mariadb-10.1.4","mariadb-10.1.5","mariadb-10.1.6","mariadb-10.1.7","mariadb-10.1.8","mariadb-10.1.9","mysql-3.23.22-beta","mysql-3.23.28-gamma","mysql-3.23.30-gamma","mysql-3.23.31","mysql-3.23.32","mysql-3.23.33","mysql-3.23.36","mysql-4.0.2","mysql-4.0.4","mysql-5.1.4","mysql-5.5.15","mysql-5.5.19","mysql-5.5.23","mysql-5.5.25","mysql-5.5.27","mysql-5.5.44","mysql-5.5.47","mysql-5.5.49","mysql-5.5.52","mysql-5.6.33","mysql-5.7.15","mysql-8.0.0","mysql_4.0","mysqlsummit-0.2.0","mysqlsummit-0.2.0-build","mysqlsummit-0.2.1","mysqlsummit-0.2.1-build","pre-null-merge","pxc_5.6.25-25.12-3.12"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-6663.json","vanir_signatures_modified":"2026-04-11T05:00:40Z","vanir_signatures":[{"source":"https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291","signature_type":"Function","target":{"function":"ha_myisam::repair","file":"storage/myisam/ha_myisam.cc"},"signature_version":"v1","deprecated":false,"digest":{"function_hash":"276458813327328109121598275008083856050","length":3646},"id":"CVE-2016-6663-012dd5ec"},{"source":"https://github.com/mariadb/server/commit/6925689ca829901567e9503fd4fdce443f9a7d53","signature_type":"Line","target":{"file":"sql/mysqld.cc"},"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["10300787521009057356635998495684155765","192111626566387172416930231159549664701","200649067802958136682873101511178304844","139512347727877704466775504772460481116"],"threshold":0.9},"id":"CVE-2016-6663-0450532a"},{"source":"https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291","signature_type":"Line","target":{"file":"storage/myisam/myisamchk.c"},"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["156747042709335812239404857506504410227","231013385882616307362406484768393737594","247960275209919284425338247079266469796","94807745408925440267731616078773576765","292954708868220498858023134167179854521","215260897919776134769321196844271116522","327128402110047950727104259926443580298","37976955491392340010177804303314394070","31315364733805639904528875242370861535","23636445271699933478695614301336166186","142715726683166353606659931262966719615","113692683138749293938330979319571407078","239600725090668646360398799798242750812","141812422202096306878564551066768604157","116236903139257876953709171425674968247","142977855023063429113069970929363690371","247339910353859068544950836473596706959","184380523307018949517664805909490614929","235176238933677209035163335589649113259","122545716063765501173559697396925000324","253637046813155317159809229205987279491","64543028489523349328242021984464194566"],"threshold":0.9},"id":"CVE-2016-6663-0e9b3c17"},{"source":"https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291","signature_type":"Line","target":{"file":"mysys/my_redel.c"},"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["268840939935663536748212081556785947708","13213608670944391593977601682863524932","42022673281319839518881425877770538409","295567922588273038243547834376047814269","83732096556387150274615466118948077612","175667979982943242943117294983431153901","110041368375643820379187479017862529507","53656702135187289377974439619392192524","255265863849625929265871632865269432141"],"threshold":0.9},"id":"CVE-2016-6663-11f3a337"},{"source":"https://github.com/mariadb/server/commit/6925689ca829901567e9503fd4fdce443f9a7d53","signature_type":"Function","target":{"function":"wsrep_init_startup","file":"sql/wsrep_mysqld.cc"},"signature_version":"v1","deprecated":false,"digest":{"function_hash":"132261035674861403256292598415004597670","length":507},"id":"CVE-2016-6663-14e2f95c"},{"source":"https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291","signature_type":"Function","target":{"function":"mi_repair_parallel","file":"storage/myisam/mi_check.c"},"signature_version":"v1","deprecated":false,"digest":{"function_hash":"46874045325073224765921741163584709623","length":11518},"id":"CVE-2016-6663-167b6f87"},{"source":"https://github.com/mariadb/server/commit/347eeefbfc658c8531878218487d729f4e020805","signature_type":"Function","target":{"function":"init_common_variables","file":"sql/mysqld.cc"},"signature_version":"v1","deprecated":false,"digest":{"function_hash":"262319326199199505806627401201410805668","length":10175},"id":"CVE-2016-6663-2c19b237"},{"source":"https://github.com/mariadb/server/commit/347eeefbfc658c8531878218487d729f4e020805","signature_type":"Function","target":{"function":"my_redel","file":"mysys/my_redel.c"},"signature_version":"v1","deprecated":false,"digest":{"function_hash":"195743337054551639795236640843175325462","length":606},"id":"CVE-2016-6663-438ab69b"},{"source":"https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291","signature_type":"Line","target":{"file":"storage/myisam/ha_myisam.cc"},"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["201283705635448754132665265188137671436","296613805033232843133488841355618131989","290770581976157747597936953687005700797","317483574090711288141675573838371935383","262932596244079193037138873302489472737","308096480134062339759336998302812093359","40944838731279728717127484440448346577","90094137937071722639769174500675293628","46660997083066777924122253589500738189","172888075596071902319285000092358078749","233306842955875534311349834496105153115","303679630009499061330904604992622401246","144549355972847195092265270391635486169","20065455137261511726590167784347669069","333074141710635353878506192750459148821","321017884568555509413173745507597882333","170112018022462286709138612090632562697","52922199001493150231444090786513723373","213376804200464258068302637584522433408","251655547742885122498324756722412316001","312853271227260979379390432731718380101","318406103170310980244111911490146690437","288329711256206745116934964892715884557","171186147284461007665833970668839574649","239213191362046514061273544163485135424","131758108625120550413011234646016509642"],"threshold":0.9},"id":"CVE-2016-6663-44bbbc2d"},{"source":"https://github.com/mariadb/server/commit/347eeefbfc658c8531878218487d729f4e020805","signature_type":"Line","target":{"file":"mysys/my_redel.c"},"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["124687595909785567538765188232277988973","83732096556387150274615466118948077612","175667979982943242943117294983431153901","110041368375643820379187479017862529507","53656702135187289377974439619392192524"],"threshold":0.9},"id":"CVE-2016-6663-5aa320be"},{"source":"https://github.com/mariadb/server/commit/347eeefbfc658c8531878218487d729f4e020805","signature_type":"Line","target":{"file":"include/my_sys.h"},"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["204857641822545259624692295957400965273","241881475509794065742202524545529865730","220867298038812200121245944278101602115","42781184582441300900379110056144557069","140077583051860542236562203061000408419"],"threshold":0.9},"id":"CVE-2016-6663-7e57670c"},{"source":"https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291","signature_type":"Line","target":{"file":"storage/myisam/mi_check.c"},"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["42699215182813791121012285968399685361","283887813584854565888691497417157357180","308992967462514548775190287933262992961","280213325654104366914780866890144815731","248980031459596922128253564143995866701","250986292032979828544759821855331057500","288927712402439027009706396030426905626","53705054678198983521367532665957133835","273747095159405045276183622443483707691","113669133169273756262663631928872551246","168603377781963905516781435422178458369","232225171802750388073270099573340958989","69585755261622533388702614730225336173","95342301640158575961657907622925632951","315458012847417631193154885912884424542","12131081452139921587499998896789555826","277487103031690622320806890007182892316","186602220244811639594054663138278008748","173087997298978807669800251024279931962","222255978478241429711298864436308573805","177323726636066859717087707310528106480","287299628530470010984044338728657069257","133595270542946639628781352467207623188","13827795013520703108712237620662592313","76401467057788038773742128719613617138","128504660564266791888306851137419797961","208363716006632155423818890780186475368","250986292032979828544759821855331057500","288927712402439027009706396030426905626","53705054678198983521367532665957133835","134882972019238768994021430152751346849","226157148384397825808416733684846808501","44198304063688099870505427636626043103","232225171802750388073270099573340958989","69585755261622533388702614730225336173","89863585585117615111631960149423304978","170211683214940972715656533162695208785","226905967229131781338309747750819999242","189019889339060272823930724907516586024","251287378081451584581669384615429917886","182233386314124646865893770141230208085","250986292032979828544759821855331057500","288927712402439027009706396030426905626","53705054678198983521367532665957133835","134882972019238768994021430152751346849","226157148384397825808416733684846808501","44198304063688099870505427636626043103","232225171802750388073270099573340958989","69585755261622533388702614730225336173","89863585585117615111631960149423304978"],"threshold":0.9},"id":"CVE-2016-6663-971f3d65"},{"source":"https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291","signature_type":"Function","target":{"function":"my_redel","file":"mysys/my_redel.c"},"signature_version":"v1","deprecated":false,"digest":{"function_hash":"292832109208458826524827815740674481880","length":694},"id":"CVE-2016-6663-a4ab53e0"},{"source":"https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291","signature_type":"Line","target":{"file":"include/myisam.h"},"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["52191238680556084602184331467585717316","165500393937282181612836691971469098274","199298288664273736627721031451492543318","184926282695259036073269894408201576817","12484044925468655610656013300142054402","172054397009567870522721359562446896055","202249256637765096405274741918339176252","261386577292418474757752630291786559818","318757889588542971244826735996883594616","120795515728839937243591388654352490317"],"threshold":0.9},"id":"CVE-2016-6663-a7ba197e"},{"source":"https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291","signature_type":"Function","target":{"function":"myisamchk","file":"storage/myisam/myisamchk.c"},"signature_version":"v1","deprecated":false,"digest":{"function_hash":"161807721212549749744447256380498804981","length":11412},"id":"CVE-2016-6663-a8a47b33"},{"source":"https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291","signature_type":"Function","target":{"function":"mi_sort_index","file":"storage/myisam/mi_check.c"},"signature_version":"v1","deprecated":false,"digest":{"function_hash":"60193803830240735526068407873093331498","length":2846},"id":"CVE-2016-6663-abcb229c"},{"source":"https://github.com/mariadb/server/commit/6925689ca829901567e9503fd4fdce443f9a7d53","signature_type":"Function","target":{"function":"init_server_components","file":"sql/mysqld.cc"},"signature_version":"v1","deprecated":false,"digest":{"function_hash":"332731388677987676617497379852326324426","length":10442},"id":"CVE-2016-6663-ad13bcb6"},{"source":"https://github.com/mariadb/server/commit/347eeefbfc658c8531878218487d729f4e020805","signature_type":"Line","target":{"file":"mysys/my_static.c"},"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["81496441030339131816656121845420665094","302625491858400971457234939451495549748","6827239584925624247613973362449513601"],"threshold":0.9},"id":"CVE-2016-6663-dbd7e0a8"},{"source":"https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291","signature_type":"Function","target":{"function":"mi_repair_by_sort","file":"storage/myisam/mi_check.c"},"signature_version":"v1","deprecated":false,"digest":{"function_hash":"30622865852041770431449650785887601474","length":10095},"id":"CVE-2016-6663-df2b0ca8"},{"source":"https://github.com/mariadb/server/commit/347eeefbfc658c8531878218487d729f4e020805","signature_type":"Line","target":{"file":"sql/mysqld.cc"},"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["113653453795459072047227819278406290569","205000405171199861407951977585919257745","235516704714933514093155642919855990104","226523148360695621250871189521955661104"],"threshold":0.9},"id":"CVE-2016-6663-e13387dd"},{"source":"https://github.com/mysql/mysql-server/commit/4e5473862e6852b0f3802b0cd0c6fa10b5253291","signature_type":"Function","target":{"function":"mi_repair","file":"storage/myisam/mi_check.c"},"signature_version":"v1","deprecated":false,"digest":{"function_hash":"299749847910497993900732133731634673449","length":7360},"id":"CVE-2016-6663-eb8b92a0"},{"source":"https://github.com/mariadb/server/commit/6925689ca829901567e9503fd4fdce443f9a7d53","signature_type":"Line","target":{"file":"sql/wsrep_mysqld.cc"},"signature_version":"v1","deprecated":false,"digest":{"line_hashes":["48322688254895416229170939282175586315","246612037741245845170913514545422239772","63643117174896252787942841139351789137","12461612565261460537925623326578810451"],"threshold":0.9},"id":"CVE-2016-6663-f35317e8"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}