CVE-2026-9748 Overview
CVE-2026-9748 is a denial-of-service vulnerability in MongoDB's mongod server process. The $_internalConvertBucketIndexStats aggregation stage incorrectly uses PauseExecution to signal a "skip this document" condition when an index stats conversion fails. PauseExecution is not a general-purpose skip mechanism. It is a TeeBuffer-internal signal used by $facet to coordinate sub-pipelines. When the affected stage precedes $facet in a pipeline, TeeBuffer receives an unexpected PauseExecution from upstream and triggers a hard invariant assertion, crashing the mongod process. The flaw is tracked as CWE-617: Reachable Assertion.
Critical Impact
An authenticated database user can issue a crafted aggregation pipeline that crashes mongod, disrupting database availability.
Affected Products
- MongoDB Server (mongod) — version information not published in NVD record
- Deployments exposing the $_internalConvertBucketIndexStats aggregation stage
- Time-series collections that route through bucket index stats conversion
Discovery Timeline
- 2026-06-09 - CVE-2026-9748 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-9748
Vulnerability Analysis
The vulnerability resides in MongoDB's aggregation framework, specifically in the $_internalConvertBucketIndexStats stage used during time-series index statistics conversion. The stage signals upstream conversion failures by emitting a PauseExecution state. This reuses a control-flow signal that the framework reserves for a narrow purpose. PauseExecution is intended only as a TeeBuffer internal signal, allowing $facet to coordinate execution between its parallel sub-pipelines. Any other consumer of that signal treats it as an invariant violation.
When a query places $_internalConvertBucketIndexStats upstream of $facet, the TeeBuffer consumes the unexpected PauseExecution signal. The TeeBuffer enforces a hard invariant assertion on the state it receives. The assertion fails, terminating the mongod process. The bug is a reachable assertion rather than a memory corruption flaw, and exploitation requires only the ability to submit aggregation pipelines.
Root Cause
The root cause is overloading of a control-flow signal. $_internalConvertBucketIndexStats repurposes PauseExecution for document skipping, but no contract exists between aggregation stages permitting this reuse. The TeeBuffer component performs strict validation and aborts the process on any unexpected state.
Attack Vector
The attack vector is network-based and requires low-privileged authenticated access. An attacker submits a crafted aggregation pipeline that places $_internalConvertBucketIndexStats upstream of $facet, then forces an index stats conversion failure. The resulting PauseExecution propagates into TeeBuffer, triggering the assertion and crashing mongod. No user interaction is required and the impact is limited to availability. Refer to the MongoDB Issue Tracker entry SERVER-123951 for the engineering analysis.
Detection Methods for CVE-2026-9748
Indicators of Compromise
- Unexpected mongod process termination with invariant failure messages referencing TeeBuffer or PauseExecution in server logs.
- Aggregation pipelines in the profiler or slow query log containing $_internalConvertBucketIndexStats followed by $facet.
- Repeated client reconnect attempts immediately following crash events recorded in diagnostic.data.
Detection Strategies
- Enable MongoDB database profiling at level 2 and search captured commands for the $_internalConvertBucketIndexStats stage paired with $facet.
- Monitor mongod log files for Invariant failure or fassert entries correlated with aggregation command execution.
- Correlate crash timestamps with authenticated session activity to identify abusive accounts.
Monitoring Recommendations
- Forward mongod logs to a centralized logging platform and alert on invariant or assertion failures.
- Track process uptime metrics and trigger alerts when mongod restarts deviate from baseline.
- Audit application code and ad-hoc query usage for references to internal aggregation stages prefixed with $_internal.
How to Mitigate CVE-2026-9748
Immediate Actions Required
- Restrict database access so that only trusted application service accounts can submit aggregation pipelines.
- Revoke aggregation privileges from user accounts that do not require time-series operations.
- Inspect application code paths for unintended use of internal aggregation stages and remove them.
Patch Information
MongoDB published the engineering fix in the MongoDB Issue Tracker entry SERVER-123951. Apply the corresponding MongoDB server release that includes the fix once available for your deployment channel. Fixed versions were not enumerated in the NVD record at publication time; consult MongoDB release notes for the patched build matching your major version.
Workarounds
- Block client submission of aggregation pipelines that reference $_internalConvertBucketIndexStats at the application or proxy layer.
- Limit time-series index statistics queries to administrative maintenance windows executed by privileged operators.
- Apply role-based access control to remove find and aggregate privileges from accounts that do not require them.
- Place MongoDB instances behind network segmentation so only application tiers can reach the database port.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
