Description
OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to and including 0.9.14, prior to commit 8e1fda8, contain a heap buffer underflow in the readline() function of mdb_load. When processing malformed input containing an embedded NUL byte, an unsigned offset calculation can underflow and cause an out-of-bounds read of one byte before the allocated heap buffer. This can cause mdb_load to crash, leading to a limited denial-of-service condition.
Published: 2026-01-07
Score: 4.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via heap buffer underflow
Action: Patch
AI Analysis

Impact

A heap buffer underflow occurs in the readline() function of the LMDB component of OpenLDAP. When malformed input containing an embedded NUL byte is processed, an unsigned offset calculation wraps around and triggers an out‑of‑bounds read of a single byte immediately before the allocated buffer. The result is a crash of the mdb_load utility, causing a limited denial‑of‑service condition. The weakness is a classic buffer underflow (CWE‑125) that can also lead to unsigned integer underflow (CWE‑191).

Affected Systems

Vulnerable versions include OpenLDAP Lightning Memory‑Mapped Database (LMDB) through 0.9.14, as well as any OpenLDAP releases prior to the commit identified as 8e1fda8. The affected vendor is the OpenLDAP Foundation, with the product named OpenLDAP.

Risk and Exploitability

The CVSS score of 4.6 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation in the near term. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attacks would require an attacker to supply crafted input to the mdb_load utility; the effect is isolated to the process, resulting in a crash rather than arbitrary code execution.

Generated by OpenCVE AI on April 16, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenLDAP to a release that includes LMDB newer than 0.9.14 or apply the patch from commit 8e1fda8
  • If an upgrade is not possible, obtain and apply the vendor’s official patch or rebuild LMDB from the patched source
  • Configure your environment to reject or sanitize malformed file input to mdb_load, such as by validating NUL byte presence or restricting the utility’s use to trusted data

Generated by OpenCVE AI on April 16, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openldap:openldap:*:*:*:*:*:*:*:*

Mon, 12 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

 cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Thu, 08 Jan 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}

 cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Thu, 08 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
Description OpenLDAP Lightning Memory-Mapped Database (LMDB) mdb_load contains a heap buffer underflow vulnerability in the readline() function. When processing malformed input, an unsigned offset calculation can underflow a heap pointer, resulting in an out-of-bounds read of one byte before the allocated heap buffer. This may allow a local attacker to cause a denial of service and potentially disclose limited heap memory contents. OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to and including 0.9.14, prior to commit 8e1fda8, contain a heap buffer underflow in the readline() function of mdb_load. When processing malformed input containing an embedded NUL byte, an unsigned offset calculation can underflow and cause an out-of-bounds read of one byte before the allocated heap buffer. This can cause mdb_load to crash, leading to a limited denial-of-service condition.
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N'}

 cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N'}

Thu, 08 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H'}

threat_severity

Moderate

Thu, 08 Jan 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Openldap
Openldap openldap
Vendors & Products Openldap
Openldap openldap

Wed, 07 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 07 Jan 2026 20:45:00 +0000

Type Values Removed Values Added
Description OpenLDAP Lightning Memory-Mapped Database (LMDB) mdb_load contains a heap buffer underflow vulnerability in the readline() function. When processing malformed input, an unsigned offset calculation can underflow a heap pointer, resulting in an out-of-bounds read of one byte before the allocated heap buffer. This may allow a local attacker to cause a denial of service and potentially disclose limited heap memory contents.
Title OpenLDAP <= 2.6.10 LMDB mdb_load Heap Buffer Underflow in readline()
Weaknesses CWE-125
CWE-191
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openldap Openldap
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:08.139Z

Reserved: 2026-01-06T16:47:17.182Z

Link: CVE-2026-22185

cve-icon Vulnrichment

Updated: 2026-01-07T21:25:42.254Z

cve-icon NVD

Status : Deferred

Published: 2026-01-07T21:16:01.733

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22185

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-07T20:26:30Z

Links: CVE-2026-22185 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:30:10Z

Weaknesses