PT-2026-37642 · Mongodb · Mongodb C Driver
Published
2026-04-29
·
Updated
2026-05-06
·
CVE-2026-6691
CVSS v4.0
8.6
High
| Vector | AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
mongo-c-driver (affected versions not specified)
Description
The Cyrus SASL integration in the MongoDB C Driver performs unsafe string copying during username canonicalization. This leads to a heap buffer overflow, which is a memory corruption issue where data exceeds the allocated buffer in the heap area. This can be triggered before any authentication or network traffic by providing untrusted input in the username of a MongoDB URI when using the
authMechanism=GSSAPI parameter.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Buffer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mongodb C Driver