Hi,

The following vulnerability was published for mongo-c-driver.

CVE-2026-9100[0]:
| The MongoDB C Driver's legacy GridFS API accepts malformed file
| metadata from the database without adequate validation. Crafted
| documents in a GridFS collection may cause any application that
| reads those files via the legacy API to either crash (via a
| division-by-zero) or silently leak process memory contents (via an
| out-of-bounds read).


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-9100
https://www.cve.org/CVERecord?id=CVE-2026-9100
[1] https://jira.mongodb.org/browse/CDRIVER-6281

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Hi Salvatore,
This was already fixed in versions 2.3.0-1, 1.30.4-1+deb13u2, and
1.23.1-1+deb12u3. Those last two went into the point release last
weekend, but that was before the CVE had been allocated.
I have set the correct fixed versions in the BTS.

Regards,

Hi Roberto,

Oh I seem to have had a version skew, the fix is in 2.2.4 so yes.

I will update the tracker shortly.

Regards,
Salvatore

No worries. I also appear to have missed that it was 2.2.4 since I have
pruned the 2.2 branch locally.
Ack and thanks. Also, I appear to have fumbled the first attempt at
setting the found/fixed versions on this bug, so I tried again. It
should be all correct now.

Regards,

Hi Roberto,

Thank you! So I think we are settled now :)

Regards,
Salvatore