CVE-2026-9753

HIGH

Server crash via malformed binary diff passed to $_internalApplyOplogUpdate.

Title source: cna

Description

The $_internalApplyOplogUpdate aggregation pipeline stage can be used to execute a document diff containing a malformed binary diff to return memory out-of-bounds or crash the server. $_internalApplyOplogUpdate can be executed by any authenticated user with access to the aggregate command.

References (1)

Core 1

Core References

https://jira.mongodb.org/browse/SERVER-124959

Scores

CVSS v3 8.1

EPSS 0.0026

EPSS Percentile 17.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1287

Status published

Products (4)

MongoDB/MongoDB Server 7.0.0 - 7.0.35

MongoDB/MongoDB Server 8.0.0 - 8.0.24

MongoDB/MongoDB Server 8.2.0 - 8.2.10

MongoDB/MongoDB Server 8.3.0 - 8.3.3

Published Jun 09, 2026

Tracked Since Jun 10, 2026