Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Unresolved
Priority: Major - P3
Fix Version/s: 8.3 Required
Affects Version/s: 8.2.4, 8.0.18, 7.0.29
Component/s: None
Labels:
None

Assigned Teams:

Server Security
Operating System:
ALL
Backport Requested:

v8.2, v8.0, v7.0
Steps To Reproduce:
Hide

Start mongocryptd and mongod.

Download the attached script and run:

$ uv run repro-mongocryptd-SERVER-116210.py

mongocryptd 8.0.17 is OK.
monogocryptd 8.0.18 fails and logs:

{"t":{"$date":"2026-01-28T12:52:37.866-05:00"},"s":"I", "c":"NETWORK", "id":4615638, "ctx":"conn41","msg":"recv(): message msgLen is invalid.","attr":{"msgLen":290271,"min":16,"max":16384}}
Show
Start mongocryptd and mongod. Download the attached script and run: $ uv run repro-mongocryptd-SERVER-116210.py mongocryptd 8.0.17 is OK. monogocryptd 8.0.18 fails and logs: { "t" :{ "$date" : "2026-01-28T12:52:37.866-05:00" }, "s" : "I" , "c" : "NETWORK" , "id" :4615638, "ctx" : "conn41" , "msg" : "recv(): message msgLen is invalid." , "attr" :{ "msgLen" :290271, "min" :16, "max" :16384}}
Sprint:
Server Security 2026-01-30, Server Security 2026-02-13
Case:
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

Summary
Recently reduced pre-auth message limits cause mongocryptd to reject large commands.

Background
A driver test started failing on server 8.0.18 and 7.0.29. Example task: first execution passed with server 8.0.17, the second failed with 8.0.18, with mongocryptd logging:

{"t":{"$date":"2026-01-28T11:20:08.629-05:00"},"s":"I", "c":"EXECUTOR", "id":22988, "ctx":"conn2","msg":"Error receiving request from client. Ending connection from remote","attr":{"error":{"code":17,"codeName":"ProtocolError","errmsg":"recv(): message msgLen 2111419 is invalid. Min 16 Max: 16384"},"remote":"127.0.0.1:56962","connectionId":2}}

The test sends bulk write operations to mongocryptd for client-side encryption. I expect recent changes reduced the maximum acceptable pre-auth size. But I expect pre-auth limits are not applicable to mongocryptd. Drivers do not authenticate to mongocryptd, since mongocryptd is expected to run alongside client applications. And large commands are expected to be sent to mongocryptd to encrypt.

Workarounds
As a short-term workaround: start mongocryptd with a larger preAuthMaximumMessageSizeBytes (set via setParameter).

Affected versions

8.2.4, 8.2.5 (~~SERVER-116490~~)
8.0.18, 8.0.19 (~~SERVER-116495~~)
7.0.29, 7.0.30 (~~SERVER-116496~~)

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

repro-mongocryptd-SERVER-116210.py
2 kB
Jan 28 2026 07:05:49 PM UTC

causes

CSHARP-5862 Skip large encryption tests on latest variants

Closed

is related to

SERVER-116490 [v8.2.4] Adjust the maximum buffer size for ingress requests

Closed

SERVER-116495 [v8.0.18] Adjust the maximum buffer size for ingress requests

Closed

SERVER-116496 [v7.0.29] Adjust the maximum buffer size for ingress requests

Closed

related to

SERVER-118435 Improve test coverage for mongocryptd

Open

Assignee:: Erwin Pe
Reporter:: Kevin Albertson
Participants:: Erwin Pe, Githook User, Kevin Albertson
Votes:: 0 Vote for this issue
Watchers:: 3 Start watching this issue

Created:: Jan 28 2026 07:12:19 PM UTC
Updated:: Feb 11 2026 10:02:43 PM UTC

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates