Description
An authenticated user can cause excess memory usage via bitwise match expression AST processing of $bitsAllSet, $bitsAnySet, $bitsAllClear, and $bitsAnyClear. This contributes to memory pressure and may lead to availability loss by OOM.

This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
Published: 2026-05-13
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user can trigger excessive memory consumption by executing bitwise match expressions such as $bitsAllSet, $bitsAnySet, $bitsAllClear, and $bitsAnyClear during AST processing. The resulting memory pressure can lead to an out‑of‑memory condition, potentially causing the database instance to become unavailable or crash. This is a type of resource exhaustion vulnerability classified as CWE‑1325, where improper handling of input leads to uncontrolled resource usage.

Affected Systems

MongoDB Server versions prior to 7.0.34, 8.0.23, 8.2.9, and 8.3.2 from MongoDB, Inc. are affected. These include all releases within the 7.x, 8.x, and 8.3 major lines that have not applied the specified patch levels.

Risk and Exploitability

The risk is therefore high for environments where authentication is compromised or where users possess broad query rights, especially in production deployments with high traffic. Monitoring for abnormal memory consumption and applying a fix mitigates the risk.

Generated by OpenCVE AI on May 13, 2026 at 01:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MongoDB Server to v7.0.34, v8.0.23, v8.2.9, or v8.3.2 or later, which contain the fix for the bitwise match expression memory exhaustion.
  • Restrict users to the minimum necessary privileges to prevent the use of the vulnerable bitwise operators in queries.
  • Implement memory usage monitoring and set thresholds or OOM protection to detect and mitigate admission of excessive memory demands.

Generated by OpenCVE AI on May 13, 2026 at 01:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 00:30:00 +0000

Type Values Removed Values Added
Description An authenticated user can cause excess memory usage via bitwise match expression AST processing of $bitsAllSet, $bitsAnySet, $bitsAllClear, and $bitsAnyClear. This contributes to memory pressure and may lead to availability loss by OOM. This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
Title Post-auth memory exhaustion via bitwise match expressions
Weaknesses CWE-1325
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-05-13T00:05:22.748Z

Reserved: 2026-05-08T23:41:03.607Z

Link: CVE-2026-8199

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T01:45:16Z

Weaknesses