CVE-2025-12657
Publication date 3 November 2025
Last updated 19 February 2026
Ubuntu priority
Description
The KMIP response parser built into mongo binaries is overly tolerant of certain malformed packets, and may parse them into invalid objects. Later reads of this object can result in read access violations.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| mongodb | 25.10 questing | Not in release |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal |
Vulnerable, fix deferred
|
|
| 18.04 LTS bionic |
Vulnerable, fix deferred
|
|
| 16.04 LTS xenial |
Vulnerable, fix deferred
|
|
| 14.04 LTS trusty |
Vulnerable, fix deferred
|
Notes
john-breton
As of 2026-02-19, upstream has not posted a patch for this issue. Even if they did, due to the SSPL license for MongoDB we would be unable to use the patch to address this vulnerability in Ubuntu. The hope is a license-compliant third-party will make patches available in the future.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
5.0 · Medium
|
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | High |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:H |