VYPR
Medium severity6.5NVD Advisory· Published Feb 10, 2026· Updated Apr 15, 2026

CVE-2026-2303

CVE-2026-2303

Description

The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI buffers are not guaranteed to be null-terminated or have extra padding, this results in reading one byte past the allocated heap buffer.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
go.mongodb.org/mongo-driverGo
< 1.17.71.17.7
go.mongodb.org/mongo-driver/v2Go
< 2.4.22.4.2

Affected products

334

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.