Volerion logoVolerion
Volerion logoVolerion

MongoDB Go Driver GSSAPI Authentication Heap Out-of-Bounds Read Vulnerability

Vulnerability

A heap out-of-bounds read vulnerability has been identified in the MongoDB Go Driver's CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. This vulnerability arises from incorrect assumptions about string termination in the GSSAPI standard, leading to the potential for reading one byte past the end of allocated heap buffers. Such an out-of-bounds read could cause a crash, creating a denial-of-service condition, especially if the GSS library returns buffers allocated at page boundaries.

Impact

Exploitation of this vulnerability causes a heap out-of-bounds read, which can lead to a crash and potentially create a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by compiling the Go program with AddressSanitizer enabled, and then running it with a MongoDB URI that includes GSSAPI authentication. The program will read one byte past the end of GSSAPI buffers, creating the out-of-bounds read condition.

Remediation

Users can upgrade to MongoDB Go Driver versions 2.4.2 or 1.17.7, where this vulnerability has been fixed.

Added: Feb 10, 2026, 9:47 PM
Updated: Feb 11, 2026, 2:42 AM

Vulnerability Rating

Custom Algorithm
spread
2.4
impact
2.5
exploitability
5.6
remediation
7.7
relevance
2.9
threat
6.4
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.