Description
A use-after-free vulnerability exists in MongoDB's Field-Level Encryption (FLE) query analysis component, affecting client-side uses of mongocryptd and crypt_shared. Triggering this vulnerability requires control over the structure of a client's FLE-related query.

This issue impacts MongoDB Server’s mongocryptd component v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
Published: 2026-05-13
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw exists in the Field‑Level Encryption component that parses client queries to identify encrypted fields. When a query contains positional projections, the analysis routine mistakenly frees a memory object too early, leaving dangling pointers. If an attacker can control the shape of the query, the freed memory may be reused in a way that corrupts data structures or allows arbitrary code execution, potentially compromising the entire database process.

Affected Systems

MongoDB Server 7.0 versions prior to 7.0.34, 8.0 versions prior to 8.0.23, 8.2 versions prior to 8.2.9, and 8.3 versions prior to 8.3.2 are affected. The vulnerability is present in the mongocryptd component that runs alongside the server and in the client‑side crypt_shared library that performs query analysis. All of these versions are now superseded by the mentioned release thresholds.

Risk and Exploitability

The CVSS score of 6.1 reflects a moderate severity risk. EPSS is not available, so the exploitation probability remains uncertain, and the issue is currently not listed in CISA’s KEV catalog. An attacker would need to send a specially crafted FLE query from a client that interacts with mongocryptd or crypt_shared. Successful exploitation could result in memory corruption, leading either to remote code execution or a server crash that disrupts availability. Given the absence of a publicly known exploit, the risk is proportionally tied to the vulnerability’s inherent severity.

Generated by OpenCVE AI on May 13, 2026 at 01:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MongoDB Server to at least v7.0.34, v8.0.23, v8.2.9, or v8.3.2 depending on the environment.
  • Ensure all client applications use a mongocryptd and crypt_shared implementation that is at or beyond the fixed versions.
  • Restrict access to the mongocryptd service to trusted clients, segment the network, and monitor logs for abnormal FLE query patterns.

Generated by OpenCVE AI on May 13, 2026 at 01:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 00:30:00 +0000

Type Values Removed Values Added
Description A use-after-free vulnerability exists in MongoDB's Field-Level Encryption (FLE) query analysis component, affecting client-side uses of mongocryptd and crypt_shared. Triggering this vulnerability requires control over the structure of a client's FLE-related query. This issue impacts MongoDB Server’s mongocryptd component v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
Title Use-After-Free in MongoDB FLE Query Analysis When Processing Positional Projections on Encrypted Fields
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H'}

cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:L/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-05-13T00:12:35.299Z

Reserved: 2026-05-08T23:42:58.650Z

Link: CVE-2026-8201

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T01:45:16Z

Weaknesses