CVE-2026-9100

Vulnerability

The vulnerability resides in the legacy GridFS API of the MongoDB C Driver. The API accepts malformed file metadata from the database without adequate validation. Crafted documents in a GridFS collection can trigger a division-by-zero crash or an out-of-bounds read that leaks process memory. Affected versions are prior to 1.30.8 and 2.2.4 [1].

Exploitation

An attacker must have write access to a GridFS collection and insert a specially crafted document. When an application reads that file using the legacy API, the malformed metadata causes the driver to perform invalid arithmetic or read beyond allocated buffers. No user interaction beyond the read operation is required.

Impact

Successful exploitation results in either a denial of service (application crash) or disclosure of process memory contents, which may include sensitive data. The attacker does not gain code execution or elevated privileges; the impact is limited to the reading process.

Mitigation

The issue is fixed in MongoDB C Driver versions 1.30.8 and 2.2.4 [1]. Users should upgrade to these versions or later. If upgrading is not immediately possible, avoid using the legacy GridFS API or restrict write access to GridFS collections to trusted users.