CVE-2026-8843— Calling createIndex with certain index types can crash mongod
Possible ATT&CK Techniques 1AI
T1499 · Endpoint Denial of ServiceAffected Version Matrix 3
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| MongoDB, Inc. | MongoDB Server | 7.0< 7.0.32 | affected |
8.0< 8.0.21 | affected | ||
8.2< 8.2.6 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-8843
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Calling createIndex with certain index types can crash mongod
Source: NVD (National Vulnerability Database)
Vulnerability Description
Creating a "2dsphere_bucket" index on a non-timeseries bucket collection will succeed, but any subsequent attempt to insert a document which triggers updating that index will crash the server. A similar issue occurs when creating "queryable_encrypted_range" indices. This issue affects MongoDB Server v7.0 versions prior to 7.0.32, v8.0 versions prior to 8.0.21 and v8.2 versions prior to 8.2.6
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
可达断言
Source: NVD (National Vulnerability Database)
Vulnerability Title
MongoDB Server 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
MongoDB Server是美国MongoDB公司的一套开源的NoSQL数据库。该数据库提供面向集合的存储、动态查询、数据复制及自动故障转移等功能。 MongoDB Server v7.0 7.0.32之前版本、v8.0 8.0.21之前版本和v8.2 8.2.6之前版本存在安全漏洞,该漏洞源于创建2dsphere_bucket索引或queryable_encrypted_range索引后,插入触发更新索引的文档可能导致服务器崩溃。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| MongoDB, Inc. | MongoDB Server | 7.0 ~ 7.0.32 | - |
II. Public POCs for CVE-2026-8843
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-8843
请登录查看更多情报信息。
Other References for CVE-2026-8843 (1)
IV. Related Vulnerabilities
Same product: MongoDB Server
- CVE-2026-8202
Post-authentication CPU utilization DoS via $trim/$ltrim/$rt - CVE-2026-8336
Post-authentication use-after-free error in $_internalJsEmit - CVE-2026-8201
Use-After-Free in MongoDB FLE Query Analysis When Processing - CVE-2026-8200
Schema validation log messages may not redact user data - CVE-2026-8199
Post-auth memory exhaustion via bitwise match expressions
Same vendor: MongoDB, Inc.
- CVE-2026-9101
Prototype pollution in csv parsing - CVE-2026-9100
Heap memory out of bounds read and crash in C Driver legacy - CVE-2026-8202
Post-authentication CPU utilization DoS via $trim/$ltrim/$rt - CVE-2026-8336
Post-authentication use-after-free error in $_internalJsEmit - CVE-2026-8201
Use-After-Free in MongoDB FLE Query Analysis When Processing
Same weakness: CWE-617
- CVE-2026-8257
WebAssembly Binaryen BrOn wasm-ir-builder.cpp makeBrOn asser - CVE-2026-41584
ZEBRA: rk Identity Point Panic in Transaction Verification - CVE-2026-20450
MediaTek Chipsets 安全漏洞 - CVE-2026-41485
Kyverno Controller Denial of Service via forEach Mutation Pa - CVE-2026-34067
nimiq-transaction vulnerable to panic via `HistoryTreeProof`
V. Comments for CVE-2026-8843
No comments yet