MEDIUM 6.5

GHSA-cp6g-7hqx-qxhp

mongo-go-driver has Heap Out-of-Bounds Read in GSSAPI Error Handling

Details

The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI buffers are not guaranteed to be null-terminated or have extra padding, this results in reading one byte past the allocated heap buffer.

Are you affected?

Enter the version of the package you're using.

Affected packages

Go / go.mongodb.org/mongo-driver

Introduced in: 0 Fixed in: 1.17.7

Fix go get go.mongodb.org/mongo-driver@v1.17.7

Go / go.mongodb.org/mongo-driver/v2

Introduced in: 0 Fixed in: 2.4.2

Fix go get go.mongodb.org/mongo-driver/v2@v2.4.2

References

https://nvd.nist.gov/vuln/detail/CVE-2026-2303 [ADVISORY]
https://github.com/mongodb/mongo-go-driver [PACKAGE]
https://jira.mongodb.org/browse/GODRIVER-3770 [WEB]