Intel

AIKIDO-2026-197584

lmdb is vulnerable to Integer Overflow

Integer Overflow Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 25, 2026

58

Medium Risk

This Affects:

PYTHONlmdb
0.58.0 - 2.2.0
Fixed in 2.2.1
Are you affected? Scan for Free

TL;DR

The CPython extension binding converts value sizes (mv_size) and key sizes read from LMDB records directly into Python object lengths and allocation sizes without validating them. When an application opens and reads a crafted or corrupted database file, oversized on-disk size fields can overflow size_t arithmetic in the batch-read and sub-database enumeration paths or narrow when cast to Py_ssize_t, producing undersized allocations and out-of-bounds memory access or process crashes. An attacker-supplied database can therefore trigger memory unsafety in the reading process. The fix adds overflow-safe size arithmetic and rejects values that exceed PY_SSIZE_T_MAX before they reach allocation or object-construction code.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application opens LMDB database files from untrusted sources.

Background info

lmdb is vulnerable to Integer Overflow in versions 0.58.0 - 2.2.0.

How to fix this

Upgrade the lmdb library to the patch version.