CVE-2024-6381
published 2024-07-02CVE-2024-6381: The bson_strfreev function in the MongoDB C driver library may be susceptible to an integer overflow where the function will try to free memory at a negative…
PriorityP427medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.39%
31.0th percentile
The bson_strfreev function in the MongoDB C driver library may be susceptible to an integer overflow where the function will try to free memory at a negative offset. This may result in memory corruption. This issue affected libbson versions prior to 1.26.2
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libbson-xs-perl | < libbson-xs-perl 0.8.4-2+deb12u1 (bookworm) | libbson-xs-perl 0.8.4-2+deb12u1 (bookworm) |
| debian | libbson-xs-perl | — | — |
| debian | mongo-c-driver | < libbson-xs-perl 0.8.4-2+deb12u1 (bookworm) | libbson-xs-perl 0.8.4-2+deb12u1 (bookworm) |
| mongodb | libbson | < 1.26.2 | 1.26.2 |
| mongodb_inc | libbson | < 1.26.2 | 1.26.2 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
osv7.5HIGH
vendor_debian7.5LOW
vendor_ubuntu4.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
mongo-c-driver vulnerabilities
vendor_ubuntu·2025-07-02·CVSS 4.0
CVE-2024-6383 [MEDIUM] mongo-c-driver vulnerabilities
Title: mongo-c-driver vulnerabilities
Summary: Several security issues were fixed in mongo-c-driver.
Karman Liu discovered that mongo-c-driver did not correctly handle certain
memory operations. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. (CVE-2024-6381)
Karman Liu discovered that mongo-c-driver did not correctly handle certain
memory operations. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. This issue only affected
Ubuntu 24.04 LTS. (CVE-2024-6383, CVE-2025-0755)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2025-40906: libbson-xs-perl - BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, w...
vendor_debian·2025·CVSS 7.5
CVE-2025-40906 [HIGH] CVE-2025-40906: libbson-xs-perl - BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, w...
BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.
Scope: local
bookworm: open
bullseye: open
Debian
CVE-2024-6381: libbson-xs-perl - The bson_strfreev function in the MongoDB C driver library may be susceptible to...
vendor_debian·2024·CVSS 4.0
CVE-2024-6381 [MEDIUM] CVE-2024-6381: libbson-xs-perl - The bson_strfreev function in the MongoDB C driver library may be susceptible to...
The bson_strfreev function in the MongoDB C driver library may be susceptible to an integer overflow where the function will try to free memory at a negative offset. This may result in memory corruption. This issue affected libbson versions prior to 1.26.2
Scope: local
bookworm: resolved (fixed in 0.8.4-2+deb12u1)
bullseye: resolved (fixed in 0.8.4-1+deb11u1)
OSV
mongo-c-driver vulnerabilities
osv·2025-07-02·CVSS 5.3
CVE-2024-6381 [MEDIUM] mongo-c-driver vulnerabilities
mongo-c-driver vulnerabilities
Karman Liu discovered that mongo-c-driver did not correctly handle certain
memory operations. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. (CVE-2024-6381)
Karman Liu discovered that mongo-c-driver did not correctly handle certain
memory operations. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. This issue only affected
Ubuntu 24.04 LTS. (CVE-2024-6383, CVE-2025-0755)
GHSA
GHSA-5pww-x83q-7gjh: BSON::XS versions 0
ghsa_unreviewed·2025-05-16·CVSS 7.5
CVE-2025-40906 [HIGH] CWE-1104 GHSA-5pww-x83q-7gjh: BSON::XS versions 0
BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities.
Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755.
BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.
OSV
CVE-2025-40906: BSON::XS versions 0
osv·2025-05-16·CVSS 7.5
CVE-2025-40906 [HIGH] CVE-2025-40906: BSON::XS versions 0
BSON::XS versions 0.8.4 and earlier for Perl includes a bundled libbson 1.1.7, which has several vulnerabilities. Those include CVE-2017-14227, CVE-2018-16790, CVE-2023-0437, CVE-2024-6381, CVE-2024-6383, and CVE-2025-0755. BSON-XS was the official Perl XS implementation of MongoDB's BSON serialization, but this distribution has reached its end of life as of August 13, 2020 and is no longer supported.
GHSA
GHSA-vc2m-fm8c-xx2j: The bson_strfreev function in the MongoDB C driver library may be susceptible to an integer overflow where the function will try to free memory at a n
ghsa_unreviewed·2024-07-02
CVE-2024-6381 [MEDIUM] CWE-680 GHSA-vc2m-fm8c-xx2j: The bson_strfreev function in the MongoDB C driver library may be susceptible to an integer overflow where the function will try to free memory at a n
The bson_strfreev function in the MongoDB C driver library may be susceptible to an integer overflow where the function will try to free memory at a negative offset. This may result in memory corruption. This issue affected libbson versions prior to 1.26.2
OSV
CVE-2024-6381: The bson_strfreev function in the MongoDB C driver library may be susceptible to an integer overflow where the function will try to free memory at a n
osv·2024-07-02·CVSS 5.3
CVE-2024-6381 [MEDIUM] CVE-2024-6381: The bson_strfreev function in the MongoDB C driver library may be susceptible to an integer overflow where the function will try to free memory at a n
The bson_strfreev function in the MongoDB C driver library may be susceptible to an integer overflow where the function will try to free memory at a negative offset. This may result in memory corruption. This issue affected libbson versions prior to 1.26.2
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-07-02
Published