CVE-2026-2303: mongo-go-driver has Heap Out-of-Bounds Read in GSSAPI Error Handling

February 10, 2026 (updated June 18, 2026)

The mongo-go-driver repository contains CGo bindings for GSSAPI (Kerberos) authentication on Linux and macOS. The C wrapper implementation contains a heap out-of-bounds read vulnerability due to incorrect assumptions about string termination in the GSSAPI standard. Since GSSAPI buffers are not guaranteed to be null-terminated or have extra padding, this results in reading one byte past the allocated heap buffer.

References

github.com/advisories/GHSA-cp6g-7hqx-qxhp
jira.mongodb.org/browse/GODRIVER-3770
nvd.nist.gov/vuln/detail/CVE-2026-2303

Code Behaviors & Features

Detect and mitigate CVE-2026-2303 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →