CVE-2026-22185
Heap Buffer Underflow in OpenLDAP LMDB Causes DoS, Info Leak
Publication date: 2026-01-07
Last updated on: 2026-01-07
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openldap | openldap | to 2.6.10 (inc) |
| mongodb | mongodb | 8.3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-191 | The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22185 is a heap buffer underflow vulnerability in the readline() function of OpenLDAP's Lightning Memory-Mapped Database (LMDB) mdb_load utility. When processing malformed input, an unsigned integer underflow occurs during pointer arithmetic, causing a pointer to move one byte before the allocated heap buffer. This results in an out-of-bounds read of one byte before the buffer, which can lead to denial of service and limited disclosure of heap memory contents. [2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can be exploited by a local attacker to cause a denial of service (DoS) by crashing the mdb_load process. Additionally, it may allow limited disclosure of heap memory contents, including heap metadata, which could aid attackers in bypassing exploit mitigations in multi-stage attacks. [2, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or runtime errors in the mdb_load utility when processing LMDB dump files, especially those containing malformed or empty lines. Using AddressSanitizer (ASAN) or UndefinedBehaviorSanitizer (UBSan) during testing of mdb_load with crafted input files can reveal the heap buffer underflow and out-of-bounds read. There are no specific network detection commands since the attack is local. Suggested commands include running mdb_load with a crafted LMDB dump file under ASAN or UBSan instrumentation to observe heap-buffer-overflow or undefined behavior reports. For example: `ASAN_OPTIONS=detect_stack_use_after_return=1 ./mdb_load <crafted_dump_file>` or using UBSan-enabled builds to detect the unsigned integer underflow at runtime. [2, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of the vulnerable mdb_load utility on untrusted or malformed LMDB dump files, especially those containing empty lines. Applying patches or updates from OpenLDAP or MongoDB that fix the readline() function to properly validate input line lengths and prevent unsigned integer underflow is critical. If patches are not yet available, restrict local access to systems running mdb_load to trusted users only, and monitor for crashes or unusual behavior in mdb_load processes. Additionally, consider running mdb_load in a sandboxed environment to limit potential impact from denial of service or information disclosure. [3, 4]