Fedora 44 libmaxminddb Critical Memory Amplification DoS 2026-814fe58971

The libmaxminddb library provides a C library for reading MaxMind DB

files, including the GeoIP2 databases from MaxMind. This is a custom

binary format designed to facilitate fast lookups of IP addresses

while allowing for great flexibility in the type of data associated

with an address.

The MaxMind DB format is an open file format. The specification is

available at https://maxmind.github.io/MaxMind-DB/ and licensed under

the Creative Commons Attribution-ShareAlike 3.0 Unported License.

libmaxminddb 1.13.1 Re-release for Ubuntu PPA, no code changes. libmaxminddb 1.13.0 MMDB_get_entry_data_list() now validates that the claimed array/map size is plausible given the remaining bytes in the data section. A crafted database could previously claim millions of array elements while only having a few bytes of data, causing disproportionate memory allocation (memory amplification DoS). Fixed integer overflow in MMDB_read_node() and find_ipv4_start_node() pointer arithmetic. The node_number * record_length multiplication was performed in uint32_t, which could overflow for very large databases. Now cast to uint64_t before multiplying, matching the pattern already used in find_address_in_search_tree(). Fixed printf format specifier mismatches in mmdblookup's metadata dump. %i was used for unsigned types and %llu for uint64_t, which is technically undefined behavior. Now uses the portable PRIu32, PRIu16, and PRIu64 macros from . Fixed an int...