Description
The internal locking mechanism of the MongoDB server uses an internal encoding of the resources in order to choose what lock to take. Collections may inadvertently collide with one another in this representation causing unavailability between them due to conflicting locks.
Published: 2026-02-10
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via lock collision
Action: Assess Impact
AI Analysis

Impact

The vulnerability stems from MongoDB Server’s internal locking mechanism, which uses an encoded resource identifier to decide which lock to acquire. If two collections generate the same encoded identifier, the resulting lock collisions can render one or both collections unavailable. This flaw represents a concurrency issue (CWE-412) that can lead to service interruption for affected collections.

Affected Systems

MongoDB Server accounts for all versions of the product, with no specific affected version range announced. Any deployment using the internal locking system is potentially susceptible to this collision behavior.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate severity. The EPSS score of less than 1% suggests exploitation probability is currently low, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The attack vector is inferred to be internal or local, as the issue requires concurrent operations that share the same internal resource identifier; details on external exploitation are not provided. Exploitation would involve orchestrating parallel workloads that collide on the encoded resource IDs, thereby triggering lock conflicts and rendering collections temporarily unavailable.

Generated by OpenCVE AI on April 17, 2026 at 20:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check MongoDB release notes for a patch addressing issues SERVER-114838 or SERVER-115296 and apply the update if available.
  • If no fix exists, reduce or serialize the concurrency of operations that target collection groups likely to share internal resource identifiers, thereby minimizing the chance of lock collisions.
  • Enable and monitor lock‑related logging or diagnostics to detect and alert on unexpected lock conflicts, allowing rapid response to service disruptions.

Generated by OpenCVE AI on April 17, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb
Vendors & Products Mongodb
Mongodb mongodb

Tue, 10 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description The internal locking mechanism of the MongoDB server uses an internal encoding of the resources in order to choose what lock to take. Collections may inadvertently collide with one another in this representation causing unavailability between them due to conflicting locks.
Title Internal ResourceId collision may affect unrelated collections
Weaknesses CWE-412
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-02-10T18:59:27.442Z

Reserved: 2026-02-03T18:21:58.986Z

Link: CVE-2026-25612

cve-icon Vulnrichment

Updated: 2026-02-10T18:59:24.564Z

cve-icon NVD

Status : Deferred

Published: 2026-02-10T18:16:37.623

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25612

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:45:25Z

Weaknesses