diff --git a/advisories/unreviewed/2026/02/GHSA-cp6g-7hqx-qxhp/GHSA-cp6g-7hqx-qxhp.json b/advisories/unreviewed/2026/02/GHSA-cp6g-7hqx-qxhp/GHSA-cp6g-7hqx-qxhp.json index bc368b697cc32..23528969096ca 100644 --- a/advisories/unreviewed/2026/02/GHSA-cp6g-7hqx-qxhp/GHSA-cp6g-7hqx-qxhp.json +++ b/advisories/unreviewed/2026/02/GHSA-cp6g-7hqx-qxhp/GHSA-cp6g-7hqx-qxhp.json @@ -1,23 +1,59 @@ { "schema_version": "1.4.0", "id": "GHSA-cp6g-7hqx-qxhp", - "modified": "2026-02-10T21:31:31Z", + "modified": "2026-02-10T21:31:42Z", "published": "2026-02-10T21:31:31Z", "aliases": [ "CVE-2026-2303" ], + "summary": "Heap Out-of-Bounds Read in GSSAPI Error Handling", "details": "The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI buffers are not guaranteed to be null-terminated or have extra padding, this results in reading one byte past the allocated heap buffer.", "severity": [ { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "go.mongodb.org/mongo-driver" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.17.7" + } + ] + } + ] }, { - "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + "package": { + "ecosystem": "Go", + "name": "go.mongodb.org/mongo-driver/v2" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.4.2" + } + ] + } + ] } ], - "affected": [], "references": [ { "type": "ADVISORY",