CVE-2026-9753

Vulnerability

The $_internalApplyOplogUpdate aggregation pipeline stage in MongoDB can be triggered by any authenticated user with access to the aggregate command. A malformed binary diff within this stage can lead to memory out-of-bounds conditions or server crashes. The specific affected versions are not explicitly listed as 'affects versions' in the reference, but fixes are available in versions 8.3.3, 8.2.10, 8.0.24, and 7.0.35 [1].

Exploitation

An attacker must first authenticate to the MongoDB server and possess the ability to execute the aggregate command. The attacker then needs to craft and submit a document containing a malformed binary diff to the $_internalApplyOplogUpdate aggregation pipeline stage. This action is sufficient to trigger the vulnerability.

Impact

Successful exploitation of this vulnerability can result in a denial-of-service condition, causing the MongoDB server to crash. Additionally, it can lead to memory out-of-bounds, which may have further unpredictable consequences on server stability and security, depending on the specific memory corruption that occurs.

Mitigation

This vulnerability has been fixed in MongoDB versions 8.3.3, 8.2.10, 8.0.24, and 7.0.35, released on or before June 9, 2026. Users are advised to upgrade to one of these patched versions to remediate the issue. No workarounds are mentioned in the available references [1].