Description
A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory issue in the slot-based execution (SBE) engine when an in-memory hash table is spilled to disk.
Published: 2026-03-17
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption via double free or use‑after‑free in MongoDB Server's SBE engine
Action: Patch
AI Analysis

Impact

MongoDB Server implements a slot‑based execution (SBE) engine that stores intermediate hash tables in memory. When an authenticated user with write privileges submits a crafted aggregation query that uses the $lookup operator, the engine may spill an in‑memory hash table to disk, triggering a double‑free or use‑after‑free memory bug. The resulting memory corruption can cause the server to crash or behave unpredictably, potentially leading to a denial‑of‑service event. The vulnerability is identified as CWE‑415, a double free issue.

Affected Systems

MongoDB Inc’s MongoDB Server is the impacted product. No specific version numbers are listed, so any release that implements the SBE engine and supports the $lookup aggregation syntax may be vulnerable.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity. An EPSS score of less than 1% suggests a low likelihood of exploitation in the field. The vulnerability is not present in the CISA KEV catalog. Exploitation requires an authenticated account with write permissions to run the malicious aggregation query, limiting the attack surface to privileged users or compromised accounts. While the description does not state arbitrary code execution, the memory corruption could lead to crashes or other unintended behavior that disrupts service availability.

Generated by OpenCVE AI on April 2, 2026 at 13:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MongoDB Server to the latest release that includes the SBE double‑free fix.
  • Restrict $lookup aggregation commands to trusted users by enforcing least‑privilege access controls.
  • Continuously monitor server logs for crash or memory‑corruption events and configure alerts for repeated failures.
  • If a patch is unavailable, consider disabling the SBE engine or restricting $lookup usage in your deployment configuration.

Generated by OpenCVE AI on April 2, 2026 at 13:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb mongodb
CPEs cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*
Vendors & Products Mongodb mongodb

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb Server
Vendors & Products Mongodb
Mongodb mongodb Server

Tue, 17 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory issue in the slot-based execution (SBE) engine when an in-memory hash table is spilled to disk.
Title Memory safety issues in slot-based execution hash table spill
Weaknesses CWE-415
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H'}

cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb Mongodb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-03-17T20:08:24.920Z

Reserved: 2026-03-17T18:55:18.644Z

Link: CVE-2026-4358

cve-icon Vulnrichment

Updated: 2026-03-17T20:06:48.279Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T20:16:15.030

Modified: 2026-04-02T12:16:02.273

Link: CVE-2026-4358

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:23:36Z

Weaknesses