Description
A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially crafted message. The BSON validator's handling of certain nested binary data structures permits uncontrolled mutual recursion between validation functions, where each re-entry resets internal depth tracking.
Published: 2026-06-09
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in MongoDB Server’s BSON validator permits an attacker to send a specially crafted message that induces uncontrolled recursion between validation functions. Because each recursive call resets the validator’s depth counter, the call stack grows without bound until the process exhausts its memory. This results in a crash of the mongod daemon, making the database service unavailable for legitimate users until a restart occurs. The vulnerability is present before authentication, so any network user could trigger it.

Affected Systems

The issue affects MongoDB Server installations. The affected product list does not specify particular release numbers, so all releases lacking the fix should be considered vulnerable until updated.

Risk and Exploitability

The CVSS score of 8.7 classifies the flaw as High severity. No EPSS data is currently available, but the lack of a KEV listing does not reduce the risk of exploitation. The likely attack vector is remote, with an unauthenticated attacker able to send a malicious BSON payload over the network to provoke the stack overflow. Once triggered, the entire mongod process terminates, leading to a denial of service. There are no known restrictions on pre‑authentication for this flaw, making it easy for threat actors to exploit from anywhere the database is exposed.

Generated by OpenCVE AI on June 10, 2026 at 01:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest MongoDB Server release that contains the BSON recursion patch.
  • Restrict network access to the mongod service by configuring firewall rules or network segmentation to limit exposure to trusted hosts.
  • Configure automated monitoring and automatic restarts for the mongod process, and review logs for stack overflow indications to ensure service availability.

Generated by OpenCVE AI on June 10, 2026 at 01:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb mongodb
CPEs cpe:2.3:a:mongodb:mongodb:*:*:*:*:*:*:*:*
Vendors & Products Mongodb mongodb

Wed, 10 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb Server
Vendors & Products Mongodb
Mongodb mongodb Server

Tue, 09 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Description A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially crafted message. The BSON validator's handling of certain nested binary data structures permits uncontrolled mutual recursion between validation functions, where each re-entry resets internal depth tracking.
Title Unbounded recursion in BSONColumn interleaved-reference causes pre-auth stack overflow
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb Mongodb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-06-10T18:16:38.879Z

Reserved: 2026-05-27T17:33:16.187Z

Link: CVE-2026-9740

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-06-09T23:17:03.437

Modified: 2026-06-15T16:55:47.097

Link: CVE-2026-9740

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:30:05Z

Weaknesses