OpenLDAP <= 0.9.14 LMDB mdb_load Heap Buffer Underflow in readline()

Advisories

severity: medium
date: January 7, 2026
Affecting: OpenLDAP 0.9.14 < 0.9.34 (fixed in commit 8e1fda8)
CVE: CVE-2026-22185
CWE: CWE-125 Out-of-bounds Read
CWE-191 Integer Underflow (Wrap or Wraparound)
CVSS: 5.1
CVSS V4 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
References: Researcher SecLists Disclosure 1
Researcher SecLists Disclosure 2
OpenLDAP Project Bug Tracker
OpenLDAP Webpage
Credit: Ron Edgerson
Description: OpenLDAP Lightning Memory-Mapped Database (LMDB) versions up to and including 0.9.14, prior to commit 8e1fda8, contain a heap buffer underflow in the readline() function of mdb_load. When processing malformed input containing an embedded NUL byte, an unsigned offset calculation can underflow and cause an out-of-bounds read of one byte before the allocated heap buffer. This can cause mdb_load to crash, leading to a limited denial-of-service condition.