Vulnerability Description
_bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in MongoDB mongo-c-driver and other products, has a heap-based buffer over-read via a crafted bson buffer.
CVSS Score
8.1
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mongodb | Libbson | 1.12.0 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1627923#c3Issue TrackingThird Party Advisory
- https://github.com/mongodb/mongo-c-driver/commit/0d9a4d98bfdf4acd2c0138d4aaeb4e2Patch
- https://jira.mongodb.org/browse/CDRIVER-2819Issue TrackingThird Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1627923#c3Issue TrackingThird Party Advisory
- https://github.com/mongodb/mongo-c-driver/commit/0d9a4d98bfdf4acd2c0138d4aaeb4e2Patch
- https://jira.mongodb.org/browse/CDRIVER-2819Issue TrackingThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2025/05/msg00012.html
FAQ
What is CVE-2018-16790?
CVE-2018-16790 is a vulnerability with a CVSS score of 8.1 (HIGH). _bson_iter_next_internal in bson-iter.c in libbson 1.12.0, as used in MongoDB mongo-c-driver and other products, has a heap-based buffer over-read via a crafted bson buffer.
How severe is CVE-2018-16790?
CVE-2018-16790 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-16790?
Check the references section above for vendor advisories and patch information. Affected products include: Mongodb Libbson.