Mattrobenolt

**Name of the Vulnerable Software and Affected Versions** Vitess versions prior to 17.0.7 Vitess versions prior to 18.0.5 Vitess versions prior to 19.0.4 **Description** The issue arises when executing a specific query, causing the `vtgate` to enter an endless loop and consume increasing amounts of memory, eventually leading to a denial of service due to memory exhaustion. This occurs because the decoding functions for certain collations, such as `utf16`, `utf32`, and `ucs2`, implement logic that enforces a minimal character length, but the callers of `DecodeRune` expect progress by returning the number of bytes consumed. If there's only 1 byte left in the input, it returns 0, and the caller doesn't consume the character, leading to an infinite loop. The estimated number of potentially affected devices worldwide is not specified. **Recommendations** For versions prior to 17.0.7, update to version 17.0.7 or later. For versions prior to 18.0.5, update to version 18.0.5 or later. For versions prior to 19.0.4, update to version 19.0.4 or later. As a temporary workaround, consider restricting the use of the `utf16`, `utf32`, and `ucs2` encodings in queries to minimize the risk of exploitation. Avoid using the `select utf16 0xFF` query in the affected API endpoint until the issue is resolved.