{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22185", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-01-06T16:47:17.182Z", "datePublished": "2026-01-07T20:26:30.054Z", "dateUpdated": "2026-03-05T01:30:08.139Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "OpenLDAP", "vendor": "OpenLDAP Foundation", "versions": [{"lessThan": "0.9.34", "status": "affected", "version": "0.9.14", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openldap:openldap:*:*:*:*:*:*:*:*", "versionStartIncluding": "0.9.14", "versionEndExcluding": "0.9.34"}]}]}], "credits": [{"lang": "en", "type": "finder", "value": "Ron Edgerson"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to and including 0.9.14, prior to commit 8e1fda8, contain a heap buffer underflow in the readline() function of mdb_load. When processing malformed input containing an embedded NUL byte, an unsigned offset calculation can underflow and cause an out-of-bounds read of one byte before the allocated heap buffer. This can cause mdb_load to crash, leading to a limited denial-of-service condition."}], "value": "OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to and including 0.9.14, prior to commit 8e1fda8, contain a heap buffer underflow in the readline() function of mdb_load. When processing malformed input containing an embedded NUL byte, an unsigned offset calculation can underflow and cause an out-of-bounds read of one byte before the allocated heap buffer. This can cause mdb_load to crash, leading to a limited denial-of-service condition."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "baseScore": 4.6, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-191", "description": "CWE-191 Integer Underflow (Wrap or Wraparound)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-05T01:30:08.139Z"}, "references": [{"tags": ["technical-description", "exploit"], "url": "https://seclists.org/fulldisclosure/2026/Jan/5"}, {"tags": ["technical-description", "exploit"], "url": "https://seclists.org/fulldisclosure/2026/Jan/8"}, {"tags": ["product"], "url": "https://www.openldap.org/"}, {"tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/openldap-lmdb-mdb-load-heap-buffer-underflow-in-readline"}, {"tags": ["issue-tracking", "patch"], "url": "https://bugs.openldap.org/show_bug.cgi?id=10421"}], "source": {"discovery": "UNKNOWN"}, "title": "OpenLDAP <= 2.6.10 LMDB mdb_load Heap Buffer Underflow in readline()", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-07T21:25:36.753538Z", "id": "CVE-2026-22185", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T21:25:58.538Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22185", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-07T21:25:36.753538Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T21:25:42.254Z"}}], "cna": {"title": "OpenLDAP <= 2.6.10 LMDB mdb_load Heap Buffer Underflow in readline()", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Ron Edgerson"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.6, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OpenLDAP Foundation", "product": "OpenLDAP", "versions": [{"status": "affected", "version": "0.9.14", "lessThan": "0.9.34", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://seclists.org/fulldisclosure/2026/Jan/5", "tags": ["technical-description", "exploit"]}, {"url": "https://seclists.org/fulldisclosure/2026/Jan/8", "tags": ["technical-description", "exploit"]}, {"url": "https://www.openldap.org/", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/openldap-lmdb-mdb-load-heap-buffer-underflow-in-readline", "tags": ["third-party-advisory"]}, {"url": "https://bugs.openldap.org/show_bug.cgi?id=10421", "tags": ["issue-tracking", "patch"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to and including 0.9.14, prior to commit 8e1fda8, contain a heap buffer underflow in the readline() function of mdb_load. When processing malformed input containing an embedded NUL byte, an unsigned offset calculation can underflow and cause an out-of-bounds read of one byte before the allocated heap buffer. This can cause mdb_load to crash, leading to a limited denial-of-service condition.", "supportingMedia": [{"type": "text/html", "value": "OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to and including 0.9.14, prior to commit 8e1fda8, contain a heap buffer underflow in the readline() function of mdb_load. When processing malformed input containing an embedded NUL byte, an unsigned offset calculation can underflow and cause an out-of-bounds read of one byte before the allocated heap buffer. This can cause mdb_load to crash, leading to a limited denial-of-service condition.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125 Out-of-bounds Read"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-191", "description": "CWE-191 Integer Underflow (Wrap or Wraparound)"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openldap:openldap:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "0.9.34", "versionStartIncluding": "0.9.14"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-05T01:30:08.139Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22185", "state": "PUBLISHED", "dateUpdated": "2026-03-05T01:30:08.139Z", "dateReserved": "2026-01-06T16:47:17.182Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-01-07T20:26:30.054Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to and including 0.9.14, prior to commit 8e1fda8, contain a heap buffer underflow in the readline() function of mdb_load. When processing malformed input containing an embedded NUL byte, an unsigned offset calculation can underflow and cause an out-of-bounds read of one byte before the allocated heap buffer. This can cause mdb_load to crash, leading to a limited denial-of-service condition."}, {"lang": "es", "value": "Las versiones de OpenLDAP Lightning Memory-Mapped Database (LMDB) hasta la 0.9.14 inclusive, anteriores al commit 8e1fda8, contienen un desbordamiento negativo de b\u00fafer de pila en la funci\u00f3n readline() de mdb_load. Al procesar una entrada malformada que contiene un byte NUL incrustado, un c\u00e1lculo de desplazamiento sin signo puede sufrir un desbordamiento negativo y causar una lectura fuera de l\u00edmites de un byte antes del b\u00fafer de pila asignado. Esto puede causar que mdb_load falle, lo que lleva a una condici\u00f3n de denegaci\u00f3n de servicio limitada."}], "id": "CVE-2026-22185", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-01-07T21:16:01.733", "references": [{"source": "disclosure@vulncheck.com", "url": "https://bugs.openldap.org/show_bug.cgi?id=10421"}, {"source": "disclosure@vulncheck.com", "url": "https://seclists.org/fulldisclosure/2026/Jan/5"}, {"source": "disclosure@vulncheck.com", "url": "https://seclists.org/fulldisclosure/2026/Jan/8"}, {"source": "disclosure@vulncheck.com", "url": "https://www.openldap.org/"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/openldap-lmdb-mdb-load-heap-buffer-underflow-in-readline"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-191"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{"bugzilla": {"description": "OpenLDAP: OpenLDAP LMDB: Denial of Service and Information Disclosure via Heap Buffer Underflow", "id": "2427679", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2427679"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "status": "draft"}, "cwe": "(CWE-125|CWE-191)", "details": ["A flaw was found in OpenLDAP Lightning Memory-Mapped Database (LMDB) mdb_load. When processing malformed input, a local attacker can exploit a heap buffer underflow vulnerability in the readline() function. This can lead to an out-of-bounds read, potentially causing a denial of service (DoS) and limited disclosure of heap memory contents."], "mitigation": {"lang": "en:us", "value": "To reduce the risk from this vulnerability, administrators should avoid processing untrusted or externally supplied LMDB database files with mdb_load and restrict its use to trusted, local users only."}, "name": "CVE-2026-22185", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "openldap", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "compat-openldap", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "openldap", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "compat-openldap", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "openldap", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "openldap", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "openldap", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-01-07T20:26:30Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-22185\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-22185\nhttps://seclists.org/fulldisclosure/2026/Jan/5\nhttps://seclists.org/fulldisclosure/2026/Jan/8\nhttps://www.openldap.org/\nhttps://www.vulncheck.com/advisories/openldap-lmdb-mdb-load-heap-buffer-underflow-in-readline"], "statement": "This vulnerability is classified as Moderate rather than Important because its impact and exploitability are limited in scope and consequence. The flaw results in a one-byte heap out-of-bounds read caused by an integer underflow in mdb_load, which is a local, administrative utility rather than a long-running network-exposed service. Exploitation requires local execution and the ability to supply a malformed LMDB input file, significantly reducing the attack surface. While the issue can reliably trigger a process crash and may disclose minimal adjacent heap data, it does not allow memory corruption, privilege escalation, or arbitrary code execution. The confidentiality impact is low and bounded, and the availability impact is confined to the mdb_load invocation itself, not to the OpenLDAP daemon or directory service at runtime.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-04-16T18:26:46.469301+00:00", "value": {"mitigation_remediation": ["Upgrade OpenLDAP to a release that includes LMDB newer than 0.9.14 or apply the patch from commit 8e1fda8", "If an upgrade is not possible, obtain and apply the vendor\u2019s official patch or rebuild LMDB from the patched source ", "Configure your environment to reject or sanitize malformed file input to mdb_load, such as by validating NUL byte presence or restricting the utility\u2019s use to trusted data"], "summary": {"action": "Patch", "impact": "Denial of Service via heap buffer underflow"}, "threat_synthesis": {"affected_systems": "Vulnerable versions include OpenLDAP Lightning Memory\u2011Mapped Database (LMDB) through 0.9.14, as well as any OpenLDAP releases prior to the commit identified as 8e1fda8. The affected vendor is the OpenLDAP Foundation, with the product named OpenLDAP.", "description_and_impact": "A heap buffer underflow occurs in the readline() function of the LMDB component of OpenLDAP. When malformed input containing an embedded NUL byte is processed, an unsigned offset calculation wraps around and triggers an out\u2011of\u2011bounds read of a single byte immediately before the allocated buffer. The result is a crash of the mdb_load utility, causing a limited denial\u2011of\u2011service condition. The weakness is a classic buffer underflow (CWE\u2011125) that can also lead to unsigned integer underflow (CWE\u2011191).", "risk_and_exploitability": "The CVSS score of 4.6 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the near term. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attacks would require an attacker to supply crafted input to the mdb_load utility; the effect is isolated to the process, resulting in a crash rather than arbitrary code execution."}}}}, "created": "2026-01-08T09:48:19.906033+00:00", "updated": "2026-04-16T18:30:10.548863+00:00", "vendors": ["openldap", "openldap$PRODUCT$openldap"]}