MEDIUM 6.5

CVE-2026-9752: MongoDB 2dsphere Null-Pointer DoS via GeoJSON GeometryCollection

An authenticated user can crash a MongoDB server by executing a specially crafted query against a 2dsphere geospatial index. The vulnerability exists because MongoDB's validation logic fails to properly inspect nested geometric objects within a GeoJSON GeometryCollection, allowing a forbidden strict-winding Polygon to bypass safety checks and trigger a null-pointer dereference that terminates the server process.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-476
Affected products
1 configuration(s)
Published / Modified
2026-06-09 / 2026-06-18

NVD description (verbatim)

An authorized user could trigger a server crash by running a query with a 2dsphere index on a field that stores a GeoJSON GeometryCollection containing a Polygon with a strict-winding CRS. Strict-winding polygons are intentionally unsupported for indexing, but the guard that rejects them does not inspect members of a GeometryCollection, allowing the unsafe path to be reached which ends with an ensuing null-pointer dereference.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9752 is a null-pointer dereference vulnerability in MongoDB's geospatial indexing subsystem. The 2dsphere index implementation intentionally rejects strict-winding Polygon geometries at parse time due to mathematical incompatibility with spherical geometry calculations. However, the validation guard only examines top-level GeoJSON objects and does not recursively inspect members of a GeometryCollection wrapper. An authenticated attacker can embed a strict-winding Polygon inside a GeometryCollection, evading the protective check. When the index processes this nested polygon, it reaches an unsafe code path that dereferences a null pointer, crashing the mongod process. The vulnerability requires valid database credentials and the ability to execute queries, but no special privileges or administrative access.

Business impact

This vulnerability enables a denial-of-service attack against MongoDB deployments. Any authenticated database user—including application service accounts with minimal privileges—can force unplanned service restarts. In production environments, repeated crashes disrupt application availability, trigger incident response overhead, and may cause cascading failures in dependent services. Organizations relying on MongoDB for critical workloads face potential SLA violations and customer-facing downtime. The threat is amplified in shared or multi-tenant database instances where multiple applications or teams share the same MongoDB cluster.

Affected systems

MongoDB instances across all versions that support 2dsphere geospatial indexing are potentially affected. The vendor and product identifier is mongodb:mongodb. Verify the specific affected version range and any version that includes a fix against the official MongoDB security advisory, as this summary does not specify version boundaries.

Exploitability

Exploitability is straightforward for any user with database access. No network-level bypasses, race conditions, or complex setup is required. An attacker needs only valid credentials and the ability to submit a query—a capability present in most application integration scenarios. The attack is repeatable and deterministic. However, the requirement for prior authentication prevents unauthenticated remote exploitation. Organizations with strong access controls and application-level query validation will see reduced risk.

Remediation

Apply the MongoDB security patch released for this vulnerability. Verify the patched version number against the official MongoDB security advisory. Additionally, implement database-level access controls to restrict query execution to trusted application accounts, and consider deploying network segmentation to limit which services can reach MongoDB instances. Disable 2dsphere indexing on non-geospatial workloads if not required.

Patch guidance

Consult the official MongoDB security advisory to identify the patched version for your release series (e.g., 4.4.x, 5.0.x, 6.0.x, etc.). MongoDB typically issues patches across multiple supported versions. Apply the patch during a scheduled maintenance window to minimize service disruption. For high-availability deployments with replica sets, perform a rolling restart to avoid cluster downtime. Test the patch in a staging environment against your application queries before production deployment. Verify that geospatial queries continue to function correctly post-patch.

Detection guidance

Monitor MongoDB logs for repeated connection attempts from internal applications followed by immediate disconnections, which may indicate crash-and-reconnect patterns. Enable MongoDB's query profiler to capture slow or unusual queries targeting 2dsphere indexes. Look for application errors reporting unexpected MongoDB connection losses. In security monitoring, detect queries that construct GeoJSON GeometryCollection objects with Polygon members, particularly if followed by service restarts. Network-based detection is difficult; focus on endpoint and database-level telemetry.

Why prioritize this

MEDIUM severity (CVSS 6.5) reflects the authentication requirement that prevents remote unauthenticated attacks. However, prioritize patching because availability impact is high and exploitability is trivial for any insider or compromised application account. Organizations with strict database access controls and mature query validation practices face lower immediate risk but should still patch within a standard maintenance cycle. The fix is non-invasive and poses minimal regression risk.

Risk score, explained

The CVSS 3.1 score of 6.5 (MEDIUM) is derived from a network-accessible service (AV:N) with low complexity (AC:L) requiring low-level privilege (PR:L, authenticated user). The impact is availability-only (A:H for denial of service via crash), with no confidentiality or integrity compromise (C:N, I:N). The scoped impact (S:U) indicates the crash affects only the targeted service. This rating appropriately reflects a denial-of-service condition that does not lead to data breach or privilege escalation.

Frequently asked questions

Can an unauthenticated attacker exploit this vulnerability?

No. The vulnerability requires valid MongoDB database credentials. An attacker must first obtain or compromise a user account with query execution privileges. This significantly reduces the attack surface compared to unauthenticated remote code execution vulnerabilities, but insider threats and compromised application accounts remain viable attack vectors.

Does this vulnerability allow data theft or modification?

No. The vulnerability causes a server crash (denial of service) but does not bypass authentication, encryption, or access controls. No data is exposed or altered. The impact is limited to service availability.

Are all MongoDB versions affected?

Only versions supporting 2dsphere geospatial indexing are affected. Verify the specific version range in the official MongoDB security advisory. Many legacy and specialized MongoDB deployments may not use geospatial indexing and could be at lower risk, but all users should check their version against the advisory.

What is a strict-winding Polygon and why is it blocked?

A strict-winding Polygon is a GeoJSON geometry specification where ring orientation strictly follows conventions that are incompatible with spherical trigonometry used in 2dsphere indexes. MongoDB rejects these at parse time to prevent mathematical errors during spatial calculations. This vulnerability bypasses that protection by nesting the forbidden polygon inside a GeometryCollection.

This analysis is based on publicly disclosed information and the referenced CVE record. Specific affected version numbers, patch availability dates, and remediation timelines must be verified against the official MongoDB security advisory. Organizations should conduct their own risk assessment based on their MongoDB deployment version, configuration, and access controls. This summary does not constitute professional security advice; consult with MongoDB support and your security team before making patching decisions. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).