CVE-2019-16227
Description
py-lmdb 0.97 has a buffer overflow in mdb_cursor_set when processing a crafted LMDB database file, leading to potential memory corruption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
py-lmdb 0.97 has a buffer overflow in mdb_cursor_set when processing a crafted LMDB database file, leading to potential memory corruption.
Vulnerability
In py-lmdb version 0.97, the function mdb_cursor_set can trigger a memcpy with an invalid write destination within mdb_xcursor_init1 when certain mn_flags values are used [1][2]. This constitutes a classic buffer overflow vulnerability in the LMDB binding's cursor handling logic.
Exploitation
An attacker can exploit this by supplying a specially crafted data.mdb file. When an application opens this malicious database and performs cursor operations, the overflow occurs [1][3]. No authentication is required; the attack vector is local file access or any scenario where the attacker can control the database file loaded by the application.
Impact
Successful exploitation can lead to memory corruption, potentially enabling denial of service or arbitrary code execution in the context of the application using py-lmdb [2][3]. The proof-of-concept code demonstrates the illegal memory write [3].
Mitigation
The vulnerability is present in py-lmdb 0.97. Users should upgrade to a patched version; the project's repository indicates ongoing maintenance and later versions likely address this issue [4]. No official workaround is documented beyond avoiding untrusted database files.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
lmdbPyPI | <= 0.97 | — |
Affected products
3- py-lmdb/py-lmdbdescription
- ghsa-coords2 versions
<= 0.97+ 1 more
- (no CPE)range: <= 0.97
- (no CPE)range: < 2.1.1-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-pf3p-v9xp-mrvfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-16227ghsaADVISORY
- github.com/TeamSeri0us/pocs/tree/master/lmdb/lmdb%20memcpy%20illegal%20dstghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/lmdb/PYSEC-2019-239.yamlghsaWEB
- pypi.org/project/lmdbghsaWEB
News mentions
0No linked articles in our index yet.