CVE-2026-9100
MongoDB C Driver Legacy GridFS Memory Leak and Crash
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: MongoDB, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mongodb | mongodb_c_driver | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1285 | The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the MongoDB C Driver's legacy GridFS API, which accepts malformed file metadata from the database without proper validation.
If an attacker crafts malicious documents in a GridFS collection, any application that reads those files using the legacy API may either crash due to a division-by-zero error or silently leak process memory contents because of an out-of-bounds read.
How can this vulnerability impact me? :
This vulnerability can impact you by causing your application to crash unexpectedly or by leaking sensitive process memory contents without your knowledge.
Such crashes can lead to denial of service, while memory leaks can expose sensitive information, potentially compromising the security of your system.