CVE-2026-9100

MEDIUM

Heap memory out of bounds read and crash in C Driver legacy GridFS file reader

Title source: cna

Description

The MongoDB C Driver's legacy GridFS API accepts malformed file metadata from the database without adequate validation. Crafted documents in a GridFS collection may cause any application that reads those files via the legacy API to either crash (via a division-by-zero) or silently leak process memory contents (via an out-of-bounds read).

References (1)

Core 1

Core References

Issue Tracking issue-tracking

https://jira.mongodb.org/browse/CDRIVER-6281

Scores

CVSS v3 5.9

EPSS 0.0028

EPSS Percentile 19.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1285

Status published

Products (2)

MongoDB, Inc./C Driver 1.0 - 1.30.8

MongoDB, Inc./C Driver 2.0 - 2.2.4

Published May 20, 2026

Tracked Since May 20, 2026