CVE-2026-9743: MongoDB Server 8.0 DoS Vulnerability

CVE-2026-9743 Overview

CVE-2026-9743 is a null pointer dereference vulnerability in MongoDB Server 8.0. An aggregation stage can leave its _subPipeline field null during processing of certain pipelines. When a getMore command is subsequently issued on the same cursor, the server dereferences the null sub-pipeline while reattaching to the operation context. This invalid memory access crashes the mongod process.

An authenticated user with permission to run aggregation pipelines can trigger the crash. The result is a denial of service against the database server, disrupting availability for all connected clients. The flaw is classified as [CWE-476] Null Pointer Dereference.

Critical Impact

Authenticated attackers can crash MongoDB Server 8.0 instances by issuing a crafted aggregation pipeline followed by a getMore call on the resulting cursor.

Affected Products

• MongoDB Server 8.0

Discovery Timeline

• 2026-06-09 - CVE-2026-9743 published to NVD
• 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-9743

Vulnerability Analysis

The defect lives in MongoDB's aggregation framework. Aggregation pipelines can contain stages that hold an internal _subPipeline reference used to execute nested pipeline logic. Under specific pipeline shapes, the parent stage finishes initial processing without populating _subPipeline, leaving it as a null pointer.

MongoDB cursors persist between commands so clients can fetch additional batches using getMore. When a getMore arrives, the server reattaches each pipeline stage to a fresh OperationContext. The reattach path assumes _subPipeline is valid and dereferences it without a null check. The process crashes with a segmentation fault, terminating active sessions and replica set member responsibilities.

Root Cause

The root cause is a missing null check on the _subPipeline member during cursor reattachment in the aggregation execution engine. The code path that allocates and assigns the sub-pipeline does not run for every valid pipeline configuration, but the consumer of that field assumes it is always populated.

Attack Vector

Exploitation requires network access to the MongoDB instance and an authenticated account with privileges to execute aggregation commands. The attacker submits a specially crafted aggregate command that produces a cursor while leaving _subPipeline null. The attacker then issues a getMore against the returned cursor identifier. The server dereferences the null pointer and crashes. No special timing or memory layout manipulation is required, and the crash is reliably reproducible.

Technical specifics are tracked in the MongoDB Server Issue Tracker (SERVER-123688).

Detection Methods for CVE-2026-9743

Indicators of Compromise

• Unexpected mongod process termination with segmentation fault signatures in system logs or crash dumps
• MongoDB log entries showing an aggregate command immediately followed by a getMore from the same client just before a fatal shutdown
• Repeated client reconnections after abrupt cursor termination on aggregation operations

Detection Strategies

• Parse mongod.log for Fatal assertion, Invalid access at address, or SIGSEGV entries correlated with aggregation cursor activity
• Hunt for authenticated sessions issuing aggregation pipelines containing nested or sub-pipeline stages followed by getMore calls that result in connection resets
• Alert on replica set primary step-downs or unplanned failovers that coincide with aggregation workload spikes

Monitoring Recommendations

• Centralize MongoDB diagnostic logs and crash dumps into a SIEM for cross-host correlation of repeat crashes
• Monitor authentication audit logs for low-privileged accounts running aggregation commands against production databases
• Track mongod uptime and restart counts as a service health metric to surface exploitation attempts quickly

How to Mitigate CVE-2026-9743

Immediate Actions Required

• Upgrade MongoDB Server 8.0 deployments to the fixed release identified in SERVER-123688 once available
• Audit user accounts and remove the read or aggregation privileges from any identity that does not require them
• Restrict network exposure of mongod to trusted application tiers using firewall rules or private networking

Patch Information

Refer to the MongoDB Server Issue Tracker entry SERVER-123688 for the official fix version and release notes. Apply the vendor patch as soon as it is published for your deployment channel, and validate the upgrade in a staging environment before rolling to production replica sets and sharded clusters.

Workarounds

• Revoke aggregation pipeline privileges from non-essential users until the patch is applied
• Enforce strong authentication and disable any anonymous or shared credentials that can reach the database
• Place MongoDB behind a query proxy or application layer that rejects unexpected aggregation stage combinations
• Configure replica set members with automatic restart and rapid failover so a single crashed primary does not cause prolonged downtime