Use-After-Free in MongoDB mongocryptd FLE query (v7.0<7.0.34/8.0<8.0.23)
CVE-2026-8201 Published on May 13, 2026
Use-After-Free in MongoDB FLE Query Analysis When Processing Positional Projections on Encrypted Fields
A use-after-free vulnerability exists in MongoDB's Field-Level Encryption (FLE) query analysis component, affecting client-side uses of mongocryptd and crypt_shared. Triggering this vulnerability requires control over the structure of a client's FLE-related query.
This issue impacts MongoDB Servers mongocryptd component v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
Vulnerability Analysis
CVE-2026-8201 can be exploited with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
What is a Dangling pointer Vulnerability?
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
CVE-2026-8201 has been classified to as a Dangling pointer vulnerability or weakness.
Products Associated with CVE-2026-8201
Want to know whenever a new CVE is published for MongoDB? stack.watch will email you.
Affected Versions
MongoDB, Inc. MongoDB Server:- Version 7.0 and below 7.0.34 is affected.
- Version 8.0 and below 8.0.23 is affected.
- Version 8.2 and below 8.2.9 is affected.
- Version 8.3 and below 8.3.2 is affected.