Description
Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances when the source of these BSON documents is not MongoDB Server.
Published: 2026-05-14
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stack exhaustion flaw in the MongoDB PHP driver that can cause applications to crash when they handle deeply nested BSON documents originating from sources other than a MongoDB Server. This flaw leads to denial of service by exhausting stack resources, potentially bringing down web services or other PHP applications that process untrusted data. The weakness is classified as CWE‑674, a stack overflow. The impact is limited to application failure rather than unauthorized code execution or data disclosure.

Affected Systems

The flaw affects the MongoDB Inc. PHP Driver. No specific driver versions are listed, so any installation of the driver that has not been updated after the discovery of this issue may be vulnerable. System administrators should verify the driver version against the vendor’s release notes for a fix.

Risk and Exploitability

The CVSS score of 6.0 indicates a moderate severity. The EPSS score is currently unavailable, so the exact likelihood of exploitation cannot be quantified. The flaw is not listed in CISA’s KEV catalog. The attack vector is inferred: an attacker would need to send specially crafted BSON documents—such as via a web form or API endpoint—to a PHP application using the driver. The source document must come from an external, non‑MongoDB Server to trigger the overflow. Once processed by the driver, the stack exhaustion would terminate the PHP process, resulting in a denial of service.

Generated by OpenCVE AI on May 14, 2026 at 22:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the MongoDB PHP driver to the latest version that contains the stack exhaustion fix.
  • If an update is unavailable or delayed, validate and restrict the depth of incoming BSON documents; reject requests that exceed a safe nesting threshold.
  • Configure PHP with stricter stack or memory limits to mitigate the impact of the flaw and eliminate the ability of the driver to exhaust the stack.

Generated by OpenCVE AI on May 14, 2026 at 22:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://jira.mongodb.org/browse/PHPC-2636 cve-icon cve-icon
History

Fri, 15 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb php Driver
Vendors & Products Mongodb
Mongodb php Driver

Thu, 14 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description Stack exhaustion vulnerability in the MongoDB PHP driver can cause application crashes when processing deeply nested BSON documents in unusual circumstances when the source of these BSON documents is not MongoDB Server.
Title PHP Stack Exhaustion
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Php Driver
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-05-15T13:30:08.302Z

Reserved: 2026-04-21T17:34:55.192Z

Link: CVE-2026-6811

cve-icon Vulnrichment

Updated: 2026-05-15T13:30:00.520Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-14T22:16:45.137

Modified: 2026-05-15T14:11:57.190

Link: CVE-2026-6811

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T22:45:30Z

Weaknesses