MongoDB C Driver GridFS API divisionzero via malformed metadata
CVE-2026-9100 Published on May 20, 2026
Heap memory out of bounds read and crash in C Driver legacy GridFS file reader
The MongoDB C Driver's legacy GridFS API accepts malformed file metadata from the database without adequate validation. Crafted documents in a GridFS collection may cause any application that reads those files via the legacy API to either crash (via a division-by-zero) or silently leak process memory contents (via an out-of-bounds read).
Vulnerability Analysis
CVE-2026-9100 is exploitable with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity, and a high impact on availability.
Weakness Type
Improper Validation of Specified Index, Position, or Offset in Input
The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties.
Products Associated with CVE-2026-9100
Want to know whenever a new CVE is published for MongoDB C Driver? stack.watch will email you.
Affected Versions
MongoDB, Inc. C Driver:- Version 1.0 and below 1.30.8 is affected.
- Version 2.0 and below 2.2.4 is affected.