Description
An authorized user could trigger a server crash by running a query with a 2dsphere index on a field that stores a GeoJSON GeometryCollection containing a Polygon with a strict-winding CRS.

Strict-winding polygons are intentionally unsupported for indexing, but the guard that rejects them does not inspect members of a GeometryCollection, allowing the unsafe path to be reached which ends with an ensuing null-pointer dereference.
Published: 2026-06-09
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authorized user can cause MongoDB Server to crash by executing a query that references a 2dsphere index on a field containing a GeoJSON GeometryCollection with a strict‑winding Polygon. The component that should reject unsupported strict‑winding polygons does not inspect the individual members of a GeometryCollection, so the system reaches an improbable code path that dereferences a null pointer. The crash results in a denial of service because the server becomes unavailable to legitimate requests.

Affected Systems

MongoDB Server. No specific versions were listed, so the vulnerability may be present in any release that implements 2dsphere indexing and does not apply the guard to GeometryCollection members. Check the MongoDB changelog for the fix.

Risk and Exploitability

The vulnerability has a CVSS score of 7.1 and an EPSS score is not disclosed, but it is not currently listed in CISA KEV. It can be exploited only by an authenticated user who can submit queries, indicating a moderate likelihood in internal or compromised environments. The crash can be triggered with a single query, so the impact is immediate once the guard bypass is exercised.

Generated by OpenCVE AI on June 10, 2026 at 00:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a MongoDB release that applies the strict‑winding guard to GeometryCollection members.
  • Remove or disable any 2dsphere indexes on fields that may contain GeometryCollections with strict‑winding Polygons.
  • Validate incoming GeoJSON data to reject strict‑winding polygons before they are stored or indexed.

Generated by OpenCVE AI on June 10, 2026 at 00:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Mongodb
Mongodb mongodb Server
Vendors & Products Mongodb
Mongodb mongodb Server

Tue, 09 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Description An authorized user could trigger a server crash by running a query with a 2dsphere index on a field that stores a GeoJSON GeometryCollection containing a Polygon with a strict-winding CRS. Strict-winding polygons are intentionally unsupported for indexing, but the guard that rejects them does not inspect members of a GeometryCollection, allowing the unsafe path to be reached which ends with an ensuing null-pointer dereference.
Title GeometryCollection with strict-winding polygon causes server crash during 2dsphere index key generation
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mongodb Mongodb Server
cve-icon MITRE

Status: PUBLISHED

Assigner: mongodb

Published:

Updated: 2026-06-09T22:27:49.950Z

Reserved: 2026-05-27T17:48:46.130Z

Link: CVE-2026-9752

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T23:17:04.770

Modified: 2026-06-09T23:17:04.770

Link: CVE-2026-9752

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T02:30:05Z

Weaknesses