Description
An authenticated user can cause excess memory usage via bitwise match expression AST processing of $bitsAllSet, $bitsAnySet, $bitsAllClear, and $bitsAnyClear. This contributes to memory pressure and may lead to availability loss by OOM.

This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
Published: 2026-05-13
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user can trigger excessive memory consumption by executing bitwise match expressions such as $bitsAllSet, $bitsAnySet, $bitsAllClear, and $bitsAnyClear during AST processing. The resulting memory pressure can lead to an out‑of‑memory condition, potentially causing the database instance to become unavailable or crash. This is a type of resource exhaustion vulnerability classified as CWE‑1325, where improper handling of input leads to uncontrolled resource usage.

Affected Systems

MongoDB Server versions prior to 7.0.34, 8.0.23, 8.2.9, and 8.3.2 from MongoDB, Inc. are affected. These include all releases within the 7.x, 8.x, and 8.3 major lines that have not applied the specified patch levels.

Risk and Exploitability

The risk is therefore high for environments where authentication is compromised or where users possess broad query rights, especially in production deployments with high traffic. Monitoring for abnormal memory consumption and applying a fix mitigates the risk.

Generated by OpenCVE AI on May 13, 2026 at 01:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MongoDB Server to v7.0.34, v8.0.23, v8.2.9, or v8.3.2 or later, which contain the fix for the bitwise match expression memory exhaustion.
  • Restrict users to the minimum necessary privileges to prevent the use of the vulnerable bitwise operators in queries.
  • Implement memory usage monitoring and set thresholds or OOM protection to detect and mitigate admission of excessive memory demands.

Generated by OpenCVE AI on May 13, 2026 at 01:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 22:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb
Mongodb mongodb Server
Vendors & Products Mongodb
Mongodb mongodb
Mongodb mongodb Server

Wed, 13 May 2026 00:30:00 +0000

Type Values Removed Values Added
Description An authenticated user can cause excess memory usage via bitwise match expression AST processing of $bitsAllSet, $bitsAnySet, $bitsAllClear, and $bitsAnyClear. This contributes to memory pressure and may lead to availability loss by OOM. This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
Title Post-auth memory exhaustion via bitwise match expressions
Weaknesses CWE-1325
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb Mongodb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-05-13T14:34:02.813Z

Reserved: 2026-05-08T23:41:03.607Z

Link: CVE-2026-8199

cve-icon Vulnrichment

Updated: 2026-05-13T14:33:59.460Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T04:17:41.530

Modified: 2026-05-13T22:31:09.603

Link: CVE-2026-8199

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:35:10Z

Weaknesses