CVE-2019-16226
Description
py-lmdb 0.97's mdb_node_del function lacks validation of a memmove when node->mn_hi is unexpected, causing an invalid write that can corrupt memory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
py-lmdb 0.97's mdb_node_del function lacks validation of a memmove when node->mn_hi is unexpected, causing an invalid write that can corrupt memory.
py-lmdb version 0.97 contains a memory corruption vulnerability in the mdb_node_del function. The root cause is a missing validation of a memmove operation when an unexpected node->mn_hi value is encountered [1]. This flaw can lead to an invalid write operation when processing a malformed database file.
Exploitation
The vulnerability is triggered when an application using py-lmdb 0.97 opens a specially crafted data.mdb file supplied by an attacker [1]. No authentication is required if the attacker can provide the malicious file to the victim application. The issue lies in the LMDB library's internals and has been documented alongside related bugs [2]. Proof-of-concept code is publicly available [4].
Impact
Successful exploitation can result in memory corruption, potentially leading to application crashes or arbitrary code execution. The exact impact depends on how the malformed node data is interpreted by the memmove call [3].
Mitigation
Users should upgrade py-lmdb to a version that includes the fix for this issue. As of the publication date, no official patch has been released; the issue is tracked in the project's issue tracker [2]. Until a patched version is available, avoid opening untrusted LMDB files.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lmdbPyPI | <= 0.97 | — |
Affected products
3- py-lmdb/py-lmdbdescription
- ghsa-coords2 versions
<= 0.97+ 1 more
- (no CPE)range: <= 0.97
- (no CPE)range: < 2.1.1-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-r8g9-w4f3-9crmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-16226ghsaADVISORY
- github.com/LMDB/lmdb/blob/mdb.master/libraries/liblmdb/mdb.cghsaWEB
- github.com/TeamSeri0us/pocs/tree/master/lmdb/lmdb%20memory%20corruption%20vulnghsax_refsource_MISCWEB
- github.com/jnwatson/py-lmdb/issues/210ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/lmdb/PYSEC-2019-238.yamlghsaWEB
- pypi.org/project/lmdbghsaWEB
News mentions
0No linked articles in our index yet.