Description
A compromised third party cloud server or man-in-the-middle attacker could send a malformed HTTP response and cause a crash in applications using the MongoDB C driver.
Published: 2026-03-17
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The vulnerability involves a heap‑buffer‑over‑read in the _mongoc_http_send function of the MongoDB C driver. A non‑null‑terminated buffer is passed to strstr, causing the function to read past the allocated memory. This memory access error results in an application crash. The primary impact is a denial of service, as the targeted process terminates unexpectedly. The weakness corresponds to out‑of‑bounds array access and improper string termination.

Affected Systems

Affected systems include MongoDB Inc's MongoDB C driver. No specific version range is listed in the advisory, so any instance of the driver that contains the _mongoc_http_send implementation is potentially vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score is 2, indicating low severity, and the EPSS score is below 1%, suggesting that exploitation is unlikely at present. It is not listed in the CISA KEV catalog. The likely attack vector is remote, where a compromised third‑party cloud server or a man‑in‑the‑middle attacker can send a crafted HTTP response to trigger the crash. Once executed, the crash leads to a denial of service without providing confidentiality or integrity impact.

Generated by OpenCVE AI on April 2, 2026 at 13:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest MongoDB C driver version that includes the fix.
  • If upgrade is not immediately possible, enable any available runtime memory‑check or security flags to mitigate accidental over‑read.
  • Validate incoming HTTP responses or use a proxy to sanitize responses before they reach the driver.
  • Monitor vendor announcements and apply any hotfixes as soon as they become available.

Generated by OpenCVE AI on April 2, 2026 at 13:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:mongodb:c_driver:*:*:*:*:*:mongodb:*:*

Wed, 18 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb c Driver
Weaknesses CWE-170
Vendors & Products Mongodb
Mongodb c Driver
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 17 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description A compromised third party cloud server or man-in-the-middle attacker could send a malformed HTTP response and cause a crash in applications using the MongoDB C driver.
Title Heap-buffer-over-read in _mongoc_http_send via strstr on non-null-terminated buffer
Weaknesses CWE-158
References
Metrics cvssV3_1

{'score': 2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb C Driver
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-03-18T20:00:06.747Z

Reserved: 2026-03-17T19:11:07.170Z

Link: CVE-2026-4359

cve-icon Vulnrichment

Updated: 2026-03-18T20:00:02.063Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T20:16:15.233

Modified: 2026-04-02T12:34:29.107

Link: CVE-2026-4359

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-17T19:42:03Z

Links: CVE-2026-4359 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:23:35Z

Weaknesses