Intel

AIKIDO-2025-10402

mongodb.libmongocrypt is vulnerable to Double Free

Double Free Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 24, 2025

18

Low Risk

This Affects:

c++mongodb.libmongocrypt
1.8.0 - 1.13.0
Fixed in 1.13.1
Are you affected? Scan for Free

TL;DR

A double-free vulnerability exists in mongodb.libmongocrypt where several parsing functions incorrectly perform cleanup when processing malformed input. Because callers are expected to invoke the corresponding cleanup routine regardless of whether parsing succeeds or fails, a parse error can result in the same memory being freed twice. An attacker able to supply crafted input to an affected parsing function may trigger a denial of service through an application crash. Users should upgrade to a fixed version.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

mongodb.libmongocrypt is vulnerable to Double Free in versions 1.8.0 - 1.13.0.

How to fix this

Upgrade the mongodb.libmongocrypt library to the patch version.