CVE-2026-9748

Vulnerability

The $_internalConvertBucketIndexStats stage in MongoDB incorrectly used PauseExecution to signal skipping unconvertible documents. This signal is intended for internal use by $facet to coordinate sub-pipelines. When $_internalConvertBucketIndexStats is placed before $facet in a pipeline, the TeeBuffer component receives this unexpected signal, triggering an invariant assertion and crashing the mongod process. The available references indicate this issue affects no specific versions and is marked as fixed [1].

Exploitation

An attacker needs to construct a MongoDB aggregation pipeline that includes the $_internalConvertBucketIndexStats stage immediately before the $facet stage. The pipeline must also contain conditions that lead to the $_internalConvertBucketIndexStats stage attempting to skip a document by sending a PauseExecution signal. Successful exploitation requires the ability to execute arbitrary aggregation pipelines against the database.

Impact

Successful exploitation of this vulnerability results in a denial of service. The mongod process crashes, making the database unavailable to legitimate users. The scope of the impact is limited to the specific mongod instance being targeted, but it can disrupt the availability of the entire MongoDB deployment if it's a single-node setup or if the targeted node is critical.

Mitigation

This vulnerability has been fixed. The available references indicate the issue is resolved, and it affects no specific versions, implying that recent versions are not vulnerable [1]. Users are advised to upgrade to a patched version of MongoDB as soon as it becomes available. No specific workaround is mentioned in the provided references.