CVE-2026-9100
Heap memory out of bounds read and crash in C Driver legacy GridFS file reader
CVSS Score
5.9
EPSS Score
0.0%
EPSS Percentile
0th
The MongoDB C Driver's legacy GridFS API accepts malformed file metadata from the database without adequate validation. Crafted documents in a GridFS collection may cause any application that reads those files via the legacy API to either crash (via a division-by-zero) or silently leak process memory contents (via an out-of-bounds read).
| CWE | CWE-1285 |
| Vendor | mongodb, inc. |
| Product | c driver |
| Published | May 20, 2026 |
| Last Updated | May 20, 2026 |
Stay Ahead of the Next One
Get instant alerts for mongodb, inc. c driver
Be the first to know when new medium vulnerabilities affecting mongodb, inc. c driver are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
High
Affected Versions
MongoDB, Inc. / C Driver
1.0 < 1.30.8 2.0 < 2.2.4