CVE-2026-22185
Unknown Unknown - Not Provided
Heap Buffer Underflow in OpenLDAP LMDB Causes DoS, Info Leak

Publication date: 2026-01-07

Last updated on: 2026-01-07

Assigner: VulnCheck

Description
OpenLDAP Lightning Memory-Mapped Database (LMDB) mdb_load contains a heap buffer underflow vulnerability in the readline() function. When processing malformed input, an unsigned offset calculation can underflow a heap pointer, resulting in an out-of-bounds read of one byte before the allocated heap buffer. This may allow a local attacker to cause a denial of service and potentially disclose limited heap memory contents.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-07
Last Modified
2026-01-07
Generated
2026-06-16
AI Q&A
2026-01-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22185
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
openldap openldap to 2.6.10 (inc)
mongodb mongodb 8.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22185 is a heap buffer underflow vulnerability in the readline() function of OpenLDAP's Lightning Memory-Mapped Database (LMDB) mdb_load utility. When processing malformed input, an unsigned integer underflow occurs during pointer arithmetic, causing a pointer to move one byte before the allocated heap buffer. This results in an out-of-bounds read of one byte before the buffer, which can lead to denial of service and limited disclosure of heap memory contents. [2, 3, 4]

Impact Analysis

This vulnerability can be exploited by a local attacker to cause a denial of service (DoS) by crashing the mdb_load process. Additionally, it may allow limited disclosure of heap memory contents, including heap metadata, which could aid attackers in bypassing exploit mitigations in multi-stage attacks. [2, 3, 4]

Detection Guidance

This vulnerability can be detected by monitoring for crashes or runtime errors in the mdb_load utility when processing LMDB dump files, especially those containing malformed or empty lines. Using AddressSanitizer (ASAN) or UndefinedBehaviorSanitizer (UBSan) during testing of mdb_load with crafted input files can reveal the heap buffer underflow and out-of-bounds read. There are no specific network detection commands since the attack is local. Suggested commands include running mdb_load with a crafted LMDB dump file under ASAN or UBSan instrumentation to observe heap-buffer-overflow or undefined behavior reports. For example: `ASAN_OPTIONS=detect_stack_use_after_return=1 ./mdb_load <crafted_dump_file>` or using UBSan-enabled builds to detect the unsigned integer underflow at runtime. [2, 4]

Mitigation Strategies

Immediate mitigation steps include avoiding the use of the vulnerable mdb_load utility on untrusted or malformed LMDB dump files, especially those containing empty lines. Applying patches or updates from OpenLDAP or MongoDB that fix the readline() function to properly validate input line lengths and prevent unsigned integer underflow is critical. If patches are not yet available, restrict local access to systems running mdb_load to trusted users only, and monitor for crashes or unusual behavior in mdb_load processes. Additionally, consider running mdb_load in a sandboxed environment to limit potential impact from denial of service or information disclosure. [3, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22185. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart