MongoDB C Driver Crash via Malformed HTTP Response (CVE-2026-4359)
CVE-2026-4359 Published on March 17, 2026

Heap-buffer-over-read in _mongoc_http_send via strstr on non-null-terminated buffer
A compromised third party cloud server or man-in-the-middle attacker could send a malformed HTTP response and cause a crash in applications using the MongoDB C driver.

NVD

Vulnerability Analysis

CVE-2026-4359 can be exploited with network access, requires user interaction and user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
HIGH
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
LOW

Weakness Type

Improper Neutralization of Null Byte or NUL Character

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component. As data is parsed, an injected NUL character or null byte may cause the software to believe the input is terminated earlier than it actually is, or otherwise cause the input to be misinterpreted. This could then be used to inject potentially dangerous input that occurs after the null byte or otherwise bypass validation routines and other protection mechanisms.


Products Associated with CVE-2026-4359

Want to know whenever a new CVE is published for MongoDB C Driver? stack.watch will email you.

MongoDB C Driver
 

Affected Versions

MongoDB Inc MongoDB C Driver: