CVE-2018-16790

EUVD-2018-8590
_bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in MongoDB mongo-c-driver and other products, has a heap-based buffer over-read via a crafted bson buffer.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 65%
Affected Products (NVD)
VendorProductVersion
mongodblibbson
1.12.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
mongo-c-driver
bookworm
1.23.1-1
fixed
bullseye
1.17.6-1
fixed
sid
1.28.1-1
fixed
stretch
no-dsa
trixie
1.28.1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libbson
bionic
Fixed 1.9.2-1ubuntu0.1~esm2
released
cosmic
ignored
disco
dne
eoan
dne
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
kinetic
dne
lunar
dne
trusty
dne
xenial
Fixed 1.3.1-1ubuntu0.1~esm1
released
Common Weakness Enumeration
References
https://bugzilla.redhat.com/show_bug.cgi?id=1627923#c3
https://github.com/mongodb/mongo-c-driver/commit/0d9a4d98bfdf4acd2c0138d4aaeb4e2e0934bd84
https://jira.mongodb.org/browse/CDRIVER-2819
https://bugzilla.redhat.com/show_bug.cgi?id=1627923#c3
https://github.com/mongodb/mongo-c-driver/commit/0d9a4d98bfdf4acd2c0138d4aaeb4e2e0934bd84
https://jira.mongodb.org/browse/CDRIVER-2819
https://lists.debian.org/debian-lts-announce/2025/05/msg00012.html