CVE-2026-11933

Vulnerability

The vulnerability resides in the bsonObjToArray function within MongoDB's MozJS BSON binding layer. Unlike its sibling bsonGetImmutable, which ensures the BSON object is owned before creating JavaScript wrappers, bsonObjToArray does not apply the same ownership check. This inconsistency can lead to a use-after-free condition when operating on sub-document wrappers. Affected versions include MongoDB 8.0.27. [1]

Exploitation

An attacker must be an authenticated user with read privileges and the ability to execute server-side JavaScript, for example via the $where or $function operators. By crafting a query that triggers the conversion of a BSON sub-document to a JavaScript array, the attacker can cause the server to access memory that has already been freed. The exact steps involve sending a query that exploits the missing ownership check in bsonObjToArray. [1]

Impact

Successful exploitation can result in disclosure of sensitive information from the mongod process memory or a denial of service through a server crash. The attacker gains no direct code execution but can leak data or disrupt service availability. [1]

Mitigation

The issue is fixed in MongoDB 8.0.27, the version where it was reported. Users should upgrade to a patched version. No workarounds are mentioned in the available reference. [1]