Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

MongoDB v8.3.0 Integer Underflow in LMDB mdb_load

From: Ron E <ronaldjedgerson () gmail com>
Date: Wed, 31 Dec 2025 23:17:45 -0500
This integer underflow vulnerability enables heap metadata corruption and
information disclosure through carefully crafted LMDB dump files.

*Impact:*

   - *Denial of Service*: Immediate crash (confirmed)
   - *Information Disclosure*: Heap metadata leak via OOB read

Root Cause:The readline() function fails to validate that the input line
length is non-zero before performing decrement operations, causing integer
underflow. An attacker can craft a malicious LMDB dump file containing
empty lines that trigger the vulnerability when processed by mdb_load:
*Output:*

./mdb_load -T /tmp/lmdb_asan <
/root/wiredtiger/third_party/openldap_liblmdb/findings/default/crashes/id:000007,sig:06,src:000012+000030,time:43032,execs:522id:000007,sig:06,src:000012+000030,time:43032,execs:52230,op:splice,rep:13
mdb_load.c:214:9: runtime error: addition of unsigned offset to
0x521000000100 overflowed to 0x5210000000ff
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior mdb_load.c:214:9
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: