CVE-2026-2303
published 2026-02-10CVE-2026-2303: The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap…
PriorityP337medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
0.22%
12.8th percentile
The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI buffers are not guaranteed to be null-terminated or have extra padding, this results in reading one byte past the allocated heap buffer.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| go.mongodb.org | mongo-driver | >= 0 < 1.17.7 | 1.17.7 |
| go.mongodb.org | mongo-driver_v2 | >= 0 < 2.4.2 | 2.4.2 |
| mongodb_inc | mongodb_go_driver | >= 1.0.0 < 1.17.7 | 1.17.7 |
| mongodb_inc | mongodb_go_driver | >= 2.0.0 < 2.4.2 | 2.4.2 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
mongo-go-driver has Heap Out-of-Bounds Read in GSSAPI Error Handling
ghsa·2026-02-10
CVE-2026-2303 [MEDIUM] CWE-183 mongo-go-driver has Heap Out-of-Bounds Read in GSSAPI Error Handling
mongo-go-driver has Heap Out-of-Bounds Read in GSSAPI Error Handling
The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI buffers are not guaranteed to be null-terminated or have extra padding, this results in reading one byte past the allocated heap buffer.
GHSA
GHSA-cp6g-7hqx-qxhp: The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS
ghsa_unreviewed·2026-02-10
CVE-2026-2303 [MEDIUM] CWE-183 GHSA-cp6g-7hqx-qxhp: The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS
The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI buffers are not guaranteed to be null-terminated or have extra padding, this results in reading one byte past the allocated heap buffer.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-2303 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-2303 [MEDIUM] CVE-2026-2303 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2303 :
CBL Mariner vulnerability analysis and mitigation
The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI buffers are not guaranteed to be null-terminated or have extra padding, this results in reading one byte past the allocated heap buffer.
Source : NVD
## 6.9
Score
Published February 10, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
CBL Mariner
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.2
Exploitation Probability (EPSS) N/A
Bugzilla
CVE-2026-2303 golang-mongodb-mongo-driver: heap-based buffer over-read in GSSAPI error handling [fedora-42]
bugzilla·2026-02-11·CVSS 6.9
CVE-2026-2303 [MEDIUM] CVE-2026-2303 golang-mongodb-mongo-driver: heap-based buffer over-read in GSSAPI error handling [fedora-42]
CVE-2026-2303 golang-mongodb-mongo-driver: heap-based buffer over-read in GSSAPI error handling [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintaine
2026-02-10
Published