Home

Description

An authorized user could trigger a server crash by running a query with a 2dsphere index on a field that stores a GeoJSON GeometryCollection containing a Polygon with a strict-winding CRS. Strict-winding polygons are intentionally unsupported for indexing, but the guard that rejects them does not inspect members of a GeometryCollection, allowing the unsafe path to be reached which ends with an ensuing null-pointer dereference.

PUBLISHED Reserved 2026-05-27 | Published 2026-06-09 | Updated 2026-06-10 | Assigner mongodb




HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-476 NULL pointer dereference

Product status

Default status
unaffected

8.3.0 (semver) before 8.3.3
affected

8.2.0 (semver) before 8.2.10
affected

8.0.0 (semver) before 8.0.24
affected

7.0.0 (semver) before 7.0.35
affected

Credits

muhammaddaffa finder

References

jira.mongodb.org/browse/SERVER-123440

cve.org (CVE-2026-9752)

nvd.nist.gov (CVE-2026-9752)

Download JSON