CVE-2026-9752

Vulnerability

A null pointer dereference vulnerability exists in MongoDB when using a 2dsphere index on a field containing a GeoJSON GeometryCollection. This occurs because the validation guard for strict-winding polygons does not inspect the members of a GeometryCollection, allowing an unsupported path to be reached. This affects versions of MongoDB where this behavior is present, as described in SERVER-123440 [1].

Exploitation

An authorized user can trigger this vulnerability by inserting a document into a collection with a 2dsphere index. The document must contain a GeoJSON GeometryCollection in the indexed field, and this collection must include a Polygon with a strict-winding CRS. The server crashes during the index key generation process when the parseFromGeoJSON function pushes a null s2Polygon pointer into the S2RegionUnion regions vector.

Impact

Successful exploitation of this vulnerability results in a denial-of-service condition, causing the MongoDB server to crash. This is due to a null-pointer dereference occurring within the S2RegionUnion::GetRectBound() function. The attacker gains no further privileges or access beyond crashing the server.

Mitigation

MongoDB has addressed this issue in version 6.0.14, 6.1.3, 7.0.3, and 7.1.0. Users are advised to upgrade to one of these patched versions or later. No workarounds are available for earlier versions. This vulnerability has not been listed on the Known Exploited Vulnerabilities (KEV) catalog as of the current date.