CVE-2026-9743
Description
MongoDB Server 8.0 is vulnerable to a denial of service when a crafted aggregation is followed by a getMore, causing a null pointer dereference and process crash.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MongoDB Server 8.0 is vulnerable to a denial of service when a crafted aggregation is followed by a getMore, causing a null pointer dereference and process crash.
Vulnerability
In MongoDB Server versions 8.0, an aggregation pipeline can result in the _subPipeline field being null during the processing of certain stages, such as $group. If a subsequent getMore operation is issued on the same cursor, the server may dereference this null _subPipeline field, leading to an invalid address access and a crash of the MongoDB process [1].
Exploitation
An authenticated user with the ability to run aggregation pipelines can trigger this vulnerability. The attacker must first issue a specially crafted aggregation pipeline that causes _subPipeline to become null, and then immediately issue a getMore operation on the cursor associated with that aggregation [1].
Impact
Successful exploitation of this vulnerability allows an authenticated attacker to cause a denial of service by crashing the MongoDB server process. This results in the unavailability of the database for all users.
Mitigation
This issue has been fixed in the master branch of MongoDB. Users are advised to upgrade to a patched version once available. No specific patched version or release date is currently disclosed in the available references, but the fix is present in the development branch [1].
AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.