C Driver
by MongoDB
Source repositories
CVEs (10)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-6691 | Hig | 0.51 | 7.8 | 0.00 | May 6, 2026 | The MongoDB C Driver's Cyrus SASL integration performs unsafe string copying during username canonicalization, enabling a heap buffer overflow before any authentication or network traffic. This may be triggered by passing untrusted input in the username of a MongoDB URI with… | ||
| CVE-2026-2303 | Med | 0.42 | 6.5 | 0.00 | Feb 10, 2026 | The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI… | ||
| CVE-2026-9100 | Med | 0.38 | 5.9 | 0.00 | May 20, 2026 | The MongoDB C Driver's legacy GridFS API accepts malformed file metadata from the database without adequate validation. Crafted documents in a GridFS collection may cause any application that reads those files via the legacy API to either crash (via a division-by-zero) or… | ||
| CVE-2024-6383 | Med | 0.34 | 5.3 | 0.01 | Jul 3, 2024 | The bson_string_append function in MongoDB C Driver may be vulnerable to a buffer overflow where the function might attempt to allocate too small of buffer and may lead to memory corruption of neighbouring heap memory. This issue affects libbson versions prior to 1.27.1 | ||
| CVE-2026-6231 | Med | 0.21 | 4.3 | 0.00 | Apr 13, 2026 | The bson_validate function may return early on specific inputs and incorrectly report success. This behavior could result in skipping validation for BSON data, allowing malformed or invalid UTF-8 sequences to bypass validation and be processed incorrectly. The issue may affect… | ||
| CVE-2026-4359 | Low | 0.06 | 2.0 | 0.00 | Mar 17, 2026 | A compromised third party cloud server or man-in-the-middle attacker could send a malformed HTTP response and cause a crash in applications using the MongoDB C driver. | ||
| CVE-2025-12119 | 0.00 | — | 0.00 | Nov 18, 2025 | A mongoc_bulk_operation_t may read invalid memory if large options are passed. | |||
| CVE-2024-7553 | 0.00 | — | 0.00 | Aug 7, 2024 | Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files. This issue… | |||
| CVE-2023-0437 | 0.00 | — | 0.01 | Jan 12, 2024 | When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0. | |||
| CVE-2018-16790 | Hig | 0.00 | 8.1 | 0.02 | Sep 10, 2018 | _bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in MongoDB mongo-c-driver and other products, has a heap-based buffer over-read via a crafted bson buffer. |
- risk 0.51cvss 7.8epss 0.00
The MongoDB C Driver's Cyrus SASL integration performs unsafe string copying during username canonicalization, enabling a heap buffer overflow before any authentication or network traffic. This may be triggered by passing untrusted input in the username of a MongoDB URI with…
- risk 0.42cvss 6.5epss 0.00
The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI…
- risk 0.38cvss 5.9epss 0.00
The MongoDB C Driver's legacy GridFS API accepts malformed file metadata from the database without adequate validation. Crafted documents in a GridFS collection may cause any application that reads those files via the legacy API to either crash (via a division-by-zero) or…
- risk 0.34cvss 5.3epss 0.01
The bson_string_append function in MongoDB C Driver may be vulnerable to a buffer overflow where the function might attempt to allocate too small of buffer and may lead to memory corruption of neighbouring heap memory. This issue affects libbson versions prior to 1.27.1
- risk 0.21cvss 4.3epss 0.00
The bson_validate function may return early on specific inputs and incorrectly report success. This behavior could result in skipping validation for BSON data, allowing malformed or invalid UTF-8 sequences to bypass validation and be processed incorrectly. The issue may affect…
- risk 0.06cvss 2.0epss 0.00
A compromised third party cloud server or man-in-the-middle attacker could send a malformed HTTP response and cause a crash in applications using the MongoDB C driver.
- CVE-2025-12119Nov 18, 2025risk 0.00cvss —epss 0.00
A mongoc_bulk_operation_t may read invalid memory if large options are passed.
- CVE-2024-7553Aug 7, 2024risk 0.00cvss —epss 0.00
Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files. This issue…
- CVE-2023-0437Jan 12, 2024risk 0.00cvss —epss 0.01
When calling bson_utf8_validate on some inputs a loop with an exit condition that cannot be reached may occur, i.e. an infinite loop. This issue affects All MongoDB C Driver versions prior to versions 1.25.0.
- risk 0.00cvss 8.1epss 0.02
_bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in MongoDB mongo-c-driver and other products, has a heap-based buffer over-read via a crafted bson buffer.