CVE-2026-9752: GeometryCollection with strict-winding polygon causes server crash during 2dsphere index key generation
An authorized user could trigger a server crash by running a query with a 2dsphere index on a field that stores a GeoJSON GeometryCollection containing a Polygon with a strict-winding CRS. Strict-winding polygons are intentionally unsupported for indexing, but the guard that rejects them does not inspect members of a GeometryCollection, allowing the unsafe path to be reached which ends with an ensuing null-pointer dereference.
Metrics
- CVSS v4.0
- 7.1
- Severity
- HIGH
- Fixed in
- 7.0.35
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A server-crash vulnerability (null-pointer dereference) affects MongoDB Server when processing 2dsphere index key generation. An authenticated user with at least a low-privilege account can trigger the crash over the network by querying a field that stores a GeoJSON GeometryCollection containing a strict-winding Polygon, exploiting a missing guard that fails to inspect GeometryCollection members before reaching unsafe code. Successful exploitation causes the MongoDB server process to crash, making the database unavailable. Patched-image rebuilds at versions 7.0.35, 8.0.24, 8.2.10, and 8.3.3 are available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-9752 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries, CI/CD pipelines, and custom-built images. Any image running an affected MongoDB Server version (7.0.0 through pre-fix 8.3.x) is flagged automatically.
AvailableHarborGuard scores this CVE at CVSS 7.1 (HIGH, v4.0) and surfaces it accordingly in each customer environment's vulnerability queue. Per-environment compliance policy weighting is applied, and the finding is routed to the inbox of the team responsible for database or infrastructure images within each customer org.
AvailableA patched-image rebuild at the appropriate fix version (7.0.35, 8.0.24, 8.2.10, or 8.3.3, depending on the release line in use) becomes available on HarborGuard once upstream packages are published. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the MongoDB service over the network to submit the malicious query.
- AuthenticationRequired
Any low-privilege authenticated account is sufficient; no administrative credentials are needed to trigger the crash.
- Victim interactionNot required
No action from another user or administrator is needed; the attacker submits the query directly.
- Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions or special environmental factors must be met beyond supplying a GeometryCollection with a strict-winding Polygon.
Blast Radius
- Crashes the MongoDB server process, taking the database instance offline and interrupting all reads and writes until the service is restarted.
- Any application relying on the affected MongoDB instance loses database connectivity for the duration of the outage.
- No data is read or modified by the attacker; confidentiality and data integrity are not directly impacted by this vulnerability.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of CVE publication for any image running an affected MongoDB Server version (7.0.x before 7.0.35, 8.0.x before 8.0.24, 8.2.x before 8.2.10, or 8.3.x before 8.3.3). Patched-image rebuilds at each fix version become available as soon as upstream packages are published. For customers who opt into auto-remediation, HarborGuard triggers a rebuild at the appropriate fix version, runs a regression test run against the rebuilt image, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR for environments with auto-remediation enabled is around 90 minutes. Where compliance policy or environmental constraints prevent auto-remediation, HarborGuard surfaces the finding with severity weighting so teams can prioritize a manual upgrade. Until a fix is applied, consider restricting network access to MongoDB instances to trusted application hosts only and auditing which users hold roles that permit querying 2dsphere-indexed collections.
Fix available
- MongoDB / MongoDB Server< 8.3.3 (from 8.3.0) · < 8.2.10 (from 8.2.0) · < 8.0.24 (from 8.0.0) · < 7.0.35 (from 7.0.0)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N