[Issue 10421] New: mdb_load can crash on malicious input

[openldap-its]

https://bugs.openldap.org/show_bug.cgi?id=10421

          Issue ID: 10421
           Summary: mdb_load can crash on malicious input
           Product: LMDB
           Version: 0.9.14
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Keywords: needs_review
          Severity: minor
          Priority: ---
         Component: tools
          Assignee: b...@openldap.org
          Reporter: h...@openldap.org
  Target Milestone: ---

This is being reported as a DOS vulnerability, which is incorrect.
https://www.socdefenders.ai/item/01d72f7a-9622-4384-a936-d99925a19a8f

mdb_load is a command-line tool, not a server nor a library function that could
be run in a server. There is no service to deny.

Reading a line containing an embedded NUL byte may cause mdb_load to crash, but
as it's a one-shot commandline tool such crashes have no consequences.

The report claims "heap metadata leak" which is also irrelevant since this is a
one-shot tool and the only potential metadata is that which was contained in
the input file, whose contents are already known to the attacker.

The report is supposedly released under "responsible disclosure" and yet it was
never reported directly to the OpenLDAP Project (not in this bug tracker nor
anywhere else). This despite the fact that the reporter clearly knows that
mdb_load is a piece of OpenLDAP software.
https://seclists.org/fulldisclosure/2026/Jan/5

The malicious input file must be constructed with a valid header and a line
containing a single space followed by a single NUL byte. The dump/load file
format only uses printable characters, so an embedded NUL byte never occurs in
valid files.

It is unclear why any DB admin would ever fall victim to such a malicious
input. The mdb_load utility is only used to load files generated by mdb_dump,
and mdb_dump will never produce such an invalid file. If an attacker went to
the trouble to binary patch a dump file to create this crashing character
sequence, they clearly have enough privileges to read and alter any other
relevant files, so this crash doesn't give them any particular advantage. Nor
does the crash reveal any memory content that they don't already know.

-- 
You are receiving this mail because:
You are on the CC list for the issue.