CVE-2026-2303

Summary

The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI buffers are not guaranteed to be null-terminated or have extra padding, this results in reading one byte past the allocated heap buffer.

Affected Software

VendorProductVersion RangeStatus
MongoDB IncMongoDB Go Driver1.0.0 < 1.17.7affected
MongoDB IncMongoDB Go Driver2.0.0 < 2.4.2affected

Weaknesses

  • CWE-183: CWE-183 Permissive List of Allowed Inputs

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References