CVE-2026-4359Improper Neutralization of Null Byte or NUL Character in INC Mongodb C Driver

CWE-158Improper Neutralization of Null Byte or NUL CharacterCWE-170Improper Null Termination7 documents7 sources
Severity
2.0LOWNVD
EPSS
0.0%
top 89.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mongodb INC Mongodb C DriverMongodb C Driver
Timeline
PublishedMar 17

Description

A compromised third party cloud server or man-in-the-middle attacker could send a malformed HTTP response and cause a crash in applications using the MongoDB C driver.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected Packages2 packages

NVDmongodb/c_driver2.2.02.2.3+1
CVEListV5mongodb_inc/mongodb_c_driver< 2.2.3

Patches

Patch: jira.mongodb.org

🔴Vulnerability Details

3
CVEList
Heap-buffer-over-read in _mongoc_http_send via strstr on non-null-terminated buffer2026-03-17
GHSA
GHSA-3548-98v9-6pq6: A compromised third party cloud server or man-in-the-middle attacker could send a malformed HTTP response and cause a crash in applications using the2026-03-17
OSV
CVE-2026-4359: A compromised third party cloud server or man-in-the-middle attacker could send a malformed HTTP response and cause a crash in applications using the2026-03-17

📋Vendor Advisories

2
Red Hat
mongo-c-driver: mongo-c-driver: Denial of Service via malformed HTTP response2026-03-17
Debian
CVE-2026-4359: mongo-c-driver - A compromised third party cloud server or man-in-the-middle attacker could send ...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-4359 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-4359 — INC Mongodb C Driver vulnerability | cvebase