CVE-2026-9100— Heap memory out of bounds read and crash in C Driver legacy GridFS file reader
Possible ATT&CK Techniques 2AI
T1059 · Command and Scripting Interpreter T1210 · Exploitation of Remote ServicesAffected Version Matrix 2
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| MongoDB, Inc. | C Driver | 1.0< 1.30.8 | affected |
2.0< 2.2.4 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-9100
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Heap memory out of bounds read and crash in C Driver legacy GridFS file reader
Source: NVD (National Vulnerability Database)
Vulnerability Description
The MongoDB C Driver's legacy GridFS API accepts malformed file metadata from the database without adequate validation. Crafted documents in a GridFS collection may cause any application that reads those files via the legacy API to either crash (via a division-by-zero) or silently leak process memory contents (via an out-of-bounds read).
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-1285
Source: NVD (National Vulnerability Database)
Vulnerability Title
MongoDB C Driver 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
MongoDB C Driver是MongoDB开源的一个用于在C语言程序中连接和操作MongoDB数据库的客户端驱动库。 MongoDB C Driver存在安全漏洞,该漏洞源于传统GridFS API未充分验证文件元数据,可能导致读取特制文档时崩溃或内存内容泄露。以下版本受到影响:MongoDB C Driver 4.4.0.3.0版本、4.5.0.0.0版本、4.5.0.1.1版本、4.5.0.1.3版本、4.5.0.2.0版本、25.4版本和25.10版本。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| MongoDB, Inc. | C Driver | 1.0 ~ 1.30.8 | - |
II. Public POCs for CVE-2026-9100
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-9100
请登录查看更多情报信息。
Patch · 1
IV. Related Vulnerabilities
Same vendor: MongoDB, Inc.
- CVE-2026-9101
Prototype pollution in csv parsing - CVE-2026-8843
Calling createIndex with certain index types can crash mongo - CVE-2026-8202
Post-authentication CPU utilization DoS via $trim/$ltrim/$rt - CVE-2026-8336
Post-authentication use-after-free error in $_internalJsEmit - CVE-2026-8201
Use-After-Free in MongoDB FLE Query Analysis When Processing
Same weakness: CWE-1285
- CVE-2026-33557
Apache Kafka: Missing JWT token validation in OAUTHBEARER au - CVE-2018-25232
Softros LAN Messenger 9.2 Denial of Service via Log Files Lo - CVE-2019-25625
Blob Studio 2.17 Denial of Service via Malformed Input - CVE-2019-25622
Paint Studio 2.17 Denial of Service via Malformed Input - CVE-2019-25593
jetCast Server 2.0 Denial of Service via Log Directory
V. Comments for CVE-2026-9100
No comments yet