MongoDB BSON Validator Recursion Crash (CVE20269740)
CVE-2026-9740 Published on June 9, 2026
Unbounded recursion in BSONColumn interleaved-reference causes pre-auth stack overflow
A vulnerability in MongoDB Server's BSON validation logic allows an unauthenticated user to crash the mongod process by sending a specially crafted message. The BSON validator's handling of certain nested binary data structures permits uncontrolled mutual recursion between validation functions, where each re-entry resets internal depth tracking.
Vulnerability Analysis
CVE-2026-9740 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
What is a Stack Exhaustion Vulnerability?
The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.
CVE-2026-9740 has been classified to as a Stack Exhaustion vulnerability or weakness.
Products Associated with CVE-2026-9740
Want to know whenever a new CVE is published for MongoDB? stack.watch will email you.
Affected Versions
MongoDB Server:- Version 8.3.0 and below 8.3.3 is affected.
- Version 8.2.0 and below 8.2.10 is affected.
- Version 8.0.0 and below 8.0.24 is affected.
- Version 7.0.0 and below 7.0.35 is affected.