Description
This issue can occur when running an aggregation pipeline that uses the internal $exchange stage configured with key-range partitioning and order-preserving delivery. If a single key range produces enough documents to fill its exchange buffer (that is, many results are routed to the same consumer), the server reaches the code path where a full per-consumer buffer is detected but the internal "high watermark" for that key range is not updated as intended.
Published: 2026-06-09
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is triggered when an aggregation pipeline uses the internal $exchange stage configured with key‑range partitioning and order‑preserving delivery. If a single key range produces enough documents to fill its exchange buffer, the server enters a code path where a full per‑consumer buffer is detected but the internal high watermark for that key range is not updated as intended. The result is a fatal error that causes the MongoDB Server to crash. The flaw is classified as CWE‑617 and results in a Denial of Service, removing availability of the database for any sessions connected to the affected instance.

Affected Systems

The affected product is MongoDB Server. The CVE does not specify version numbers, so any MongoDB Server release that has not yet addressed SERVER‑124031 may be vulnerable. Users should verify if their deployed version is affected.

Risk and Exploitability

The CVSS base score of 7.1 indicates a moderate‑to‑high severity. No EPSS value is available, so the exact exploitation probability is unknown. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is any aggregation query executed by an application or user that can specify a $exchange stage with key‑range partitioning. As such, an attacker who can construct such a query could trigger a crash, leading to a denial of service for all clients.

Generated by OpenCVE AI on June 9, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MongoDB Server software to the latest release that contains the fix for SERVER‑124031.
  • If an upgrade cannot be performed immediately, avoid using $exchange stages with key‑range partitioning in aggregation pipelines, or limit the number of documents routed to a single consumer to prevent buffer overflow.
  • Enable monitoring and alerting on server crash events, and review logs for transactions that may have triggered the crash.

Generated by OpenCVE AI on June 9, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb Server
Vendors & Products Mongodb
Mongodb mongodb Server

Tue, 09 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description This issue can occur when running an aggregation pipeline that uses the internal $exchange stage configured with key-range partitioning and order-preserving delivery. If a single key range produces enough documents to fill its exchange buffer (that is, many results are routed to the same consumer), the server reaches the code path where a full per-consumer buffer is detected but the internal "high watermark" for that key range is not updated as intended.
Title Using MaxKey() may crash the server
Weaknesses CWE-617
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-06-09T22:10:45.815Z

Reserved: 2026-05-27T17:47:39.152Z

Link: CVE-2026-9749

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T23:17:04.380

Modified: 2026-06-09T23:17:04.380

Link: CVE-2026-9749

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T00:30:16Z

Weaknesses