CVE 8.7 HIGH

Unbounded recursion in BSONColumn interleaved-reference causes pre-auth stack overflow_CVE-2026-9740

June 9, 2026 invoker category_cve

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Description

A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially crafted message. The BSON validator's handling of certain nested binary data structures permits uncontrolled mutual recursion between validation functions, where each re-entry resets internal depth tracking.

AI Analysis

Unauthenticated stack overflow in MongoDB Server's BSON validation logic due to uncontrolled mutual recursion

Basic Information

ID CVE-2026-9740

Source mongodb

Published Jun 9, 2026 at 22:43

Affected Product

Vendor MongoDB

Product MongoDB Server

Version 8.3.0, 8.2.0, 8.0.0, 7.0.0

Affected Versions MongoDB MongoDB Server 8.3.0
MongoDB MongoDB Server 8.2.0
MongoDB MongoDB Server 8.0.0
MongoDB MongoDB Server 7.0.0

CWE Classification

CWE-674

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor MongoDB

Product MongoDB Server

Version 8.3.0, 8.2.0, 8.0.0, 7.0.0

References

jira.mongodb.org /browse/SERVER-125063

{
    "lastseen": "",
    "description": "A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially crafted message. The BSON validator's handling of certain nested binary data structures permits uncontrolled mutual recursion between validation functions, where each re-entry resets internal depth tracking.",
    "published": "2026-06-09T22:43:44.291Z",
    "modified": "2026-06-09T22:43:44.291Z",
    "type": "cve",
    "title": "Unbounded recursion in BSONColumn interleaved-reference causes pre-auth stack overflow",
    "source": "mongodb",
    "references": "https://jira.mongodb.org/browse/SERVER-125063",
    "id": "CVE-2026-9740",
    "bulletinFamily": "",
    "cwe": [
        "CWE-674"
    ],
    "cvelist": null,
    "sourceData": "MongoDB MongoDB Server 8.3.0\nMongoDB MongoDB Server 8.2.0\nMongoDB MongoDB Server 8.0.0\nMongoDB MongoDB Server 7.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "MongoDB Server",
    "version": "8.3.0, 8.2.0, 8.0.0, 7.0.0",
    "vendor": "MongoDB",
    "ai_description": "Unauthenticated stack overflow in MongoDB Server's BSON validation logic due to uncontrolled mutual recursion",
    "ai_severity": "High",
    "ai_vendor": "MongoDB",
    "ai_product": "MongoDB Server",
    "ai_version": "8.3.0, 8.2.0, 8.0.0, 7.0.0",
    "ai_score": 8.7
}

💭 Join the Security Discussion ❌ Cancel Reply