{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2303", "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "state": "PUBLISHED", "assignerShortName": "mongodb", "dateReserved": "2026-02-10T18:55:27.871Z", "datePublished": "2026-02-10T19:03:06.737Z", "dateUpdated": "2026-02-11T15:16:15.789Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "MongoDB Go Driver", "vendor": "MongoDB Inc", "versions": [{"lessThan": "1.17.7", "status": "affected", "version": "1.0.0", "versionType": "semver"}, {"lessThan": "2.4.2", "status": "affected", "version": "2.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The mongo-go-driver repository&nbsp;contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI buffers are not guaranteed to be null-terminated or have extra padding, this results in reading one byte past the allocated heap buffer.<br><br>"}], "value": "The mongo-go-driver repository\u00a0contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI buffers are not guaranteed to be null-terminated or have extra padding, this results in reading one byte past the allocated heap buffer."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 6.9, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-183", "description": "CWE-183 Permissive List of Allowed Inputs", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2026-02-10T19:03:06.737Z"}, "references": [{"url": "https://jira.mongodb.org/browse/GODRIVER-3770"}], "source": {"discovery": "UNKNOWN"}, "title": "Heap Out-of-Bounds Read in Go Driver GSSAPI C Wrappers enables application crash or information leak", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-11T15:16:06.075674Z", "id": "CVE-2026-2303", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T15:16:15.789Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2303", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-11T15:16:06.075674Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-11T15:16:11.659Z"}}], "cna": {"title": "Heap Out-of-Bounds Read in Go Driver GSSAPI C Wrappers enables application crash or information leak", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "MongoDB Inc", "product": "MongoDB Go Driver", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "1.17.7", "versionType": "semver"}, {"status": "affected", "version": "2.0.0", "lessThan": "2.4.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://jira.mongodb.org/browse/GODRIVER-3770"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "The mongo-go-driver repository\u00a0contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI buffers are not guaranteed to be null-terminated or have extra padding, this results in reading one byte past the allocated heap buffer.", "supportingMedia": [{"type": "text/html", "value": "The mongo-go-driver repository&nbsp;contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI buffers are not guaranteed to be null-terminated or have extra padding, this results in reading one byte past the allocated heap buffer.<br><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-183", "description": "CWE-183 Permissive List of Allowed Inputs"}]}], "providerMetadata": {"orgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "shortName": "mongodb", "dateUpdated": "2026-02-10T19:03:06.737Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2303", "state": "PUBLISHED", "dateUpdated": "2026-02-11T15:16:15.789Z", "dateReserved": "2026-02-10T18:55:27.871Z", "assignerOrgId": "a39b4221-9bd0-4244-95fc-f3e2e07f1deb", "datePublished": "2026-02-10T19:03:06.737Z", "assignerShortName": "mongodb"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The mongo-go-driver repository\u00a0contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI buffers are not guaranteed to be null-terminated or have extra padding, this results in reading one byte past the allocated heap buffer."}, {"lang": "es", "value": "El repositorio mongo-go-driver contiene enlaces CGo para la autenticaci\u00f3n GSSAPI (Kerberos) en Linux y macOS. La implementaci\u00f3n del wrapper de C contiene una vulnerabilidad de lectura fuera de l\u00edmites del heap debido a suposiciones incorrectas sobre la terminaci\u00f3n de cadenas en el est\u00e1ndar GSSAPI. Dado que no se garantiza que los b\u00faferes GSSAPI est\u00e9n terminados en nulo o que tengan relleno adicional, esto resulta en la lectura de un byte m\u00e1s all\u00e1 del b\u00fafer del heap asignado."}], "id": "CVE-2026-2303", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "cna@mongodb.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@mongodb.com", "type": "Secondary"}]}, "published": "2026-02-10T20:17:00.757", "references": [{"source": "cna@mongodb.com", "url": "https://jira.mongodb.org/browse/GODRIVER-3770"}], "sourceIdentifier": "cna@mongodb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-183"}], "source": "cna@mongodb.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.0.0,1.17.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.4.2)"}}], "product": "go_driver", "vendor": "mongodb"}], "analysis": {"en": {"generated_at": "2026-04-17T20:28:18.716417+00:00", "value": {"mitigation_remediation": ["Upgrade the MongoDB Go Driver to the latest release that includes the fix for the out\u2011of\u2011bounds read. ", "If immediate upgrading is not possible, temporarily disable GSSAPI authentication or switch to an alternative authentication mechanism. ", "Audit custom Kerberos token handling to ensure that buffers are properly terminated or padded, reducing the risk of similar boundary violations."], "summary": {"action": "Update Driver", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The issue affects MongoDB Inc\u2019s MongoDB Go Driver whenever GSSAPI authentication is enabled on Linux or macOS. Exact vulnerable versions are not listed; therefore any release up to the latest that has not applied the corrective wrapper adjustments is potentially impacted.", "description_and_impact": "The vulnerability arises from an out\u2011of\u2011bounds read in the CGo bindings used by the MongoDB Go Driver\u2019s GSSAPI authentication on Linux and macOS. An attacker could trigger a read of one byte past a heap buffer when the driver processes a Kerberos token that is not null\u2011terminated. This leads to either a crash of the application or inadvertent exposure of memory contents that may contain sensitive information. No direct code execution is possible, but the instability and data leakage pose a moderate threat to confidentiality and availability.", "risk_and_exploitability": "With a CVSS score of 6.9 the vulnerability is classified as medium severity. The EPSS score of less than 1\u202f% indicates a low probability of exploitation at the time of analysis. The attack vector is likely local or requires the ability to send crafted Kerberos tokens to the driver, so it is not an arbitrary external exploit. The vulnerability is not currently listed in CISA\u2019s KEV catalog. The risk is thus moderate but potentially significant for applications that rely on GSSAPI authentication."}}}}, "created": "2026-02-11T21:51:50.714472+00:00", "updated": "2026-04-17T20:30:15.817107+00:00", "vendors": ["mongodb", "mongodb$PRODUCT$go_driver"]}