CVE-2026-9100

5.9 MEDIUM

The MongoDB C Driver's legacy GridFS API accepts malformed file metadata from the database without adequate validation

Published: 2026-05-20 · Last updated: 2026-05-20

Severity and scoring

CVSS: 5.9 MEDIUM
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:H
CWE: CWE-1285

Description

The MongoDB C Driver's legacy GridFS API accepts malformed file metadata from the database without adequate validation. Crafted documents in a GridFS collection may cause any application that reads those files via the legacy API to either crash (via a division-by-zero) or silently leak process memory contents (via an out-of-bounds read).

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-9100
[Other]https://jira.mongodb.org/browse/CDRIVER-6281

Related CVEs

Same CWE

CVE-2026-8036 — Improper input validation in NI-PAL may allow a local authenticated user to access arbitrary system memory, potentially leading to privil... (7.1 HIGH)
CVE-2026-45352 — cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library (5.3 MEDIUM)