How is CVE-2026-9740 exploited?

Network reachability (required): The attacker must reach the mongod service over the network; no prior foothold on the host is needed. Authentication (not-required): No credentials are required; the malformed BSON message can be sent before any authentication handshake completes. Victim interaction (not-required): No user action is needed; the attacker sends the crafted message directly to the server. Attack complexity (info): Exploitation is reliable and condition-free; no race condition, memory-layout dependency, or special environmental state is required.

What is the impact of CVE-2026-9740?

Crashes the mongod process, taking the database instance offline and making all hosted data unavailable for the duration of the outage. Any application or service depending on the affected MongoDB instance loses database connectivity immediately upon exploit. If the mongod process is not configured to auto-restart, the outage persists until an operator manually intervenes. No data is read or modified by this exploit; impact is limited to availability of the database service.

Back to search

HIGHCVE-2026-9740Published 2026-06-09Modified 2026-06-10CNA mongodb

CVE-2026-9740: Unbounded recursion in BSONColumn interleaved-reference causes pre-auth stack overflow

A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially crafted message. The BSON validator's handling of certain nested binary data structures permits uncontrolled mutual recursion between validation functions, where each re-entry resets internal depth tracking.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: 7.0.35
Affected Products: 1

HarborGuard Analysis

Synopsis

A stack overflow vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated remote attacker to crash the mongod process by sending a specially crafted message. The flaw lies in unbounded mutual recursion between BSON validation functions, where each recursive re-entry resets the internal depth counter, allowing the call stack to grow without bound. Successful exploitation causes a complete denial of service by killing the database process. Patched-image rebuilds at versions 7.0.35, 8.0.24, 8.2.10, and 8.3.3 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-9740 is available across every HarborGuard environment. The CVE is ingested from upstream feeds and matched against customer images, including custom-built images layering MongoDB Server, within minutes of publication.

Available

Triage

HarborGuard scores this vulnerability at CVSS v4.0 8.7 (HIGH) and is capable of weighting that score against each customer environment's compliance policy to reflect local risk tolerance. Triage findings are routable to the appropriate team inbox within each organization based on policy-defined ownership rules.

Available

Patch

Patched-image rebuilds at MongoDB Server versions 7.0.35, 8.0.24, 8.2.10, and 8.3.3 become available for any image found running an affected release. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the mongod service over the network; no prior foothold on the host is needed.
AuthenticationNot required
No credentials are required; the malformed BSON message can be sent before any authentication handshake completes.
Victim interactionNot required
No user action is needed; the attacker sends the crafted message directly to the server.
Attack complexityDetail
Exploitation is reliable and condition-free; no race condition, memory-layout dependency, or special environmental state is required.

Blast Radius

Crashes the mongod process, taking the database instance offline and making all hosted data unavailable for the duration of the outage.
Any application or service depending on the affected MongoDB instance loses database connectivity immediately upon exploit.
If the mongod process is not configured to auto-restart, the outage persists until an operator manually intervenes.
No data is read or modified by this exploit; impact is limited to availability of the database service.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-9740 is active across all customer scan pipelines, covering any image that includes MongoDB Server in the affected version ranges (7.0.0-7.0.34, 8.0.0-8.0.23, 8.2.0-8.2.9, 8.3.0-8.3.2). Patched rebuilds targeting 7.0.35, 8.0.24, 8.2.10, or 8.3.3 (depending on the version track in the affected image) are available for qualifying images. For customers who opt into auto-remediation, the median time from CVE publication to a merged patch PR for HIGH-severity issues is around 90 minutes, covering the rebuild, regression run, and PR open steps. Where compliance policy requires manual approval, the rebuilt image and test results are queued for reviewer action as soon as the rebuild completes. Given that this is a pre-authentication denial-of-service, organizations that cannot patch immediately should consider network-policy controls that restrict unauthenticated access to mongod ports at the cluster or host firewall level as a compensating measure.

See how HarborGuard automates this

Fix available

7.0.358.0.248.2.108.3.3

Affected packages

MongoDB / MongoDB Server
< 8.3.3 (from 8.3.0) · < 8.2.10 (from 8.2.0) · < 8.0.24 (from 8.0.0) · < 7.0.35 (from 7.0.0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

jira.mongodb.org

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available