lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAFmK-GwR0V4XStkJRigmxbGuuR3_6muqDEGqwHmbC5kNgLctNA@mail.gmail.com>
Date: Wed, 31 Dec 2025 23:17:45 -0500
From: Ron E <ronaldjedgerson@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] MongoDB v8.3.0 Integer Underflow in LMDB mdb_load

This integer underflow vulnerability enables heap metadata corruption and
information disclosure through carefully crafted LMDB dump files.

*Impact:*

   - *Denial of Service*: Immediate crash (confirmed)
   - *Information Disclosure*: Heap metadata leak via OOB read

Root Cause:The readline() function fails to validate that the input line
length is non-zero before performing decrement operations, causing integer
underflow. An attacker can craft a malicious LMDB dump file containing
empty lines that trigger the vulnerability when processed by mdb_load:
*Output:*

./mdb_load -T /tmp/lmdb_asan <
/root/wiredtiger/third_party/openldap_liblmdb/findings/default/crashes/id:000007,sig:06,src:000012+000030,time:43032,execs:522id:000007,sig:06,src:000012+000030,time:43032,execs:52230,op:splice,rep:13
mdb_load.c:214:9: runtime error: addition of unsigned offset to
0x521000000100 overflowed to 0x5210000000ff
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior mdb_load.c:214:9
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ