A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory issue in the slot-based execution (SBE) engine when an in-memory hash table is spilled to disk.
{
"cna_assigner": "mongodb",
"cwe_ids": [
"CWE-415"
],
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "8.2"
},
{
"fixed": "8.2.6"
},
{
"introduced": "8.0"
},
{
"fixed": "8.0.20"
},
{
"introduced": "7.0"
},
{
"fixed": "7.0.31"
}
]
}
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/4xxx/CVE-2026-4358.json"
}{
"source": "CPE_RANGE",
"cpe": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*",
"extracted_events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.0.31"
},
{
"introduced": "8.0.0"
},
{
"fixed": "8.0.20"
},
{
"introduced": "8.2.0"
},
{
"fixed": "8.2.6"
}
]
}"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-4358.json"
[
{
"id": "CVE-2026-4358-074a18d5",
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/mongodb/mongo/commit/32a732a9b646200050bedd569d0e18fda534f92c",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"212916051933611333336019566765871154533",
"127072531193682496647404363037825275968",
"82618083542634382065142722552922596523",
"4324924340243736427572372707787432252"
]
},
"target": {
"file": "src/mongo/util/md5.cpp"
}
},
{
"id": "CVE-2026-4358-1abd9456",
"signature_type": "Line",
"signature_version": "v1",
"source": "https://github.com/mongodb/mongo/commit/05009bb976757189fd9bff4cebc5d803a6737a95",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"243049191849363753065600341015684019120",
"312131738472726656287569917628189519640",
"269011836439409954144825691130893251414",
"261701652252642430706775392390697022443"
]
},
"target": {
"file": "src/mongo/util/md5.cpp"
}
},
{
"id": "CVE-2026-4358-3141a725",
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/mongodb/mongo/commit/05009bb976757189fd9bff4cebc5d803a6737a95",
"deprecated": false,
"digest": {
"function_hash": "22528191371751663195701634984920870034",
"length": 244.0
},
"target": {
"function": "md5_init",
"file": "src/mongo/util/md5.cpp"
}
},
{
"id": "CVE-2026-4358-de078695",
"signature_type": "Function",
"signature_version": "v1",
"source": "https://github.com/mongodb/mongo/commit/32a732a9b646200050bedd569d0e18fda534f92c",
"deprecated": false,
"digest": {
"function_hash": "253896680426164393151009864932457722232",
"length": 57.0
},
"target": {
"function": "md5_init_state",
"file": "src/mongo/util/md5.cpp"
}
}
]
"2026-07-15T21:57:36Z"