CVE-2026-9753

Source
https://cve.org/CVERecord?id=CVE-2026-9753
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-9753.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-9753
Aliases
Downstream
Published
2026-06-09T22:30:57.171Z
Modified
2026-07-15T19:06:44.909909Z
Severity
  • 7.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Server crash via malformed binary diff passed to $_internalApplyOplogUpdate.
Details

The $_internalApplyOplogUpdate aggregation pipeline stage can be used to execute a document diff containing a malformed binary diff to return memory out-of-bounds or crash the server. $_internalApplyOplogUpdate can be executed by any authenticated user with access to the aggregate command.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/9xxx/CVE-2026-9753.json",
    "cwe_ids": [
        "CWE-1287"
    ],
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "introduced": "8.3.0"
                },
                {
                    "fixed": "8.3.3"
                },
                {
                    "introduced": "8.2.0"
                },
                {
                    "fixed": "8.2.10"
                },
                {
                    "introduced": "8.0.0"
                },
                {
                    "fixed": "8.0.24"
                },
                {
                    "introduced": "7.0.0"
                },
                {
                    "fixed": "7.0.35"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "mongodb"
}
References

Affected packages

Git / github.com/mongodb/mongo

Affected ranges

Type
GIT
Repo
https://github.com/mongodb/mongo
Events
Database specific
{
    "cpe": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*",
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "7.0.35"
        },
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.0.24"
        },
        {
            "introduced": "8.2.0"
        },
        {
            "fixed": "8.2.10"
        },
        {
            "introduced": "8.3.0"
        },
        {
            "fixed": "8.3.3"
        }
    ]
}

Affected versions

0.*
0.9.1
1.*
1.7-cut
r0.*
r0.0.3
r0.0.4_rc1
r0.0.6_rc1
r0.0.7_rc1
r0.0.7_rc2
r0.0.7_rc3
r0.0.7_rc4
r0.0.9_rc1
r0.1.0_rc1
r0.1.2_rc1
r0.1.3_rc1
r0.1.4_rc1
r0.1.5_rc1
r0.1.6_rc1
r0.2.1
r0.9.1
r0.9.10
r0.9.5
r0.9.6
r0.9.8
r0.9.9
r1.*
r1.1.1
r1.1.3
r1.3.0
r1.3.4
r1.5.0
r1.5.1
r1.5.2
r1.5.5
r1.5.6
r1.7.5
r1.7.6
r1.8.0-rc0
r2.*
r2.1.1
r2.1.2
r2.2.0-rc0
r2.3.1
r2.3.2
r2.4.0-rc0
r2.4.0-rc1
r2.4.0-rc2
r2.4.0.rc1
r2.5.1
r2.5.2
r2.5.3
r2.5.4
r2.5.5
r2.6.0-rc0
r2.6.0-rc1
r2.7.0
r2.7.1
r2.7.2
r2.7.3
r2.7.4
r2.7.5
r2.7.6
r2.7.7
r2.7.8
r2.8.0-rc0
r2.8.0-rc1
r2.8.0-rc2
r2.8.0-rc3
r2.8.0-rc4
r2.8.0-rc5
r3.*
r3.1.0
r3.1.1
r3.1.2
r3.1.3
r3.1.4
r3.1.5
r3.1.6
r3.1.7
r3.1.8
r3.1.9
r3.2.0
r3.2.0-rc0
r3.2.0-rc1
r3.2.0-rc2
r3.2.0-rc3
r3.2.0-rc4
r3.2.0-rc5
r3.2.0-rc6
r3.3.0
r3.3.1
r3.3.10
r3.3.11
r3.3.12
r3.3.13
r3.3.14
r3.3.15
r3.3.2
r3.3.3
r3.3.4
r3.3.5
r3.3.6
r3.3.7
r3.3.8
r3.3.9
r3.4.0-rc0
r3.4.0-rc1
r3.4.0-rc2
r3.4.0-rc3
r3.5.0
r3.5.1
r3.5.10
r3.5.11
r3.5.12
r3.5.13
r3.5.2
r3.5.3
r3.5.4
r3.5.5
r3.5.6
r3.5.7
r3.5.8
r3.5.9
r3.6.0-rc0
r3.6.0-rc1
r3.6.0-rc2
r3.6.0-rc3
r3.6.0-rc4
r3.7.0
r3.7.1
r3.7.2
r3.7.3
r3.7.4
r3.7.5
r3.7.6
r3.7.7
r3.7.8
r3.7.9
r4.*
r4.0.0-rc0
r4.1.0
r4.1.1
r4.1.10
r4.1.11
r4.1.12
r4.1.13
r4.1.2
r4.1.3
r4.1.4
r4.1.5
r4.1.6
r4.1.7
r4.1.8
r4.1.9
r4.3.0
r4.3.1
r4.3.2
r4.3.3
r4.3.4
r4.5.0
r4.8.0-alpha
r4.9.0-alpha
r4.9.0-alpha0
r4.9.0-alpha1
r4.9.0-alpha2
r4.9.0-alpha3
r4.9.0-alpha4
r4.9.0-alpha5
r4.9.0-alpha6
r4.9.0-alpha7
r5.*
r5.0.0-alpha
r5.0.0-alpha0
r5.1.0-alpha
r5.2.0-alpha
r5.3.0-alpha
r5.3.0-alpha0
r5.3.0-alpha1
r5.3.0-alpha2
r5.3.0-alpha3
r5.3.0-alpha4
r6.*
r6.0.0-alpha
r6.0.0-alpha0
r6.0.0-alpha1
r6.1.0-alpha
r6.2.0-alpha
r6.3.0-alpha
r6.3.0-alpha0
r6.3.0-rc0
r7.*
r7.0.0
r7.0.0-alpha
r7.0.0-alpha0
r7.0.0-rc0
r7.0.0-rc1
r7.0.0-rc10
r7.0.0-rc2
r7.0.0-rc3
r7.0.0-rc4
r7.0.0-rc5
r7.0.0-rc6
r7.0.0-rc7
r7.0.0-rc8
r7.0.0-rc9
r7.0.1
r7.0.1-rc0
r7.0.10
r7.0.10-rc0
r7.0.11
r7.0.11-rc0
r7.0.11-rc1
r7.0.11-rc2
r7.0.12
r7.0.12-rc0
r7.0.12-rc1
r7.0.13
r7.0.13-rc0
r7.0.13-rc1
r7.0.14
r7.0.14-rc0
r7.0.15
r7.0.15-rc0
r7.0.15-rc1
r7.0.16
r7.0.16-rc0
r7.0.16-rc1
r7.0.17
r7.0.18
r7.0.2
r7.0.2-rc0
r7.0.2-rc1
r7.0.2-rc2
r7.0.21
r7.0.21-alpha0
r7.0.21-rc0
r7.0.22
r7.0.22-rc0
r7.0.23
r7.0.23-rc0
r7.0.23-rc1
r7.0.24
r7.0.24-rc0
r7.0.25-alpha0
r7.0.26
r7.0.26-rc0
r7.0.27
r7.0.27-alpha0
r7.0.27-rc0
r7.0.3
r7.0.3-rc0
r7.0.3-rc1
r7.0.4
r7.0.4-rc0
r7.0.5
r7.0.5-rc0
r7.0.6
r7.0.6-rc0
r7.0.7
r7.0.7-rc0
r7.0.7-rc1
r7.0.7-rc2
r7.0.8
r7.0.8-rc0
r7.0.9
r7.0.9-rc0
r7.0.9-rc1
r8.*
r8.0.0
r8.0.1
r8.0.1-rc0
r8.0.10
r8.0.10-rc0
r8.0.12
r8.0.12-rc0
r8.0.13
r8.0.13-rc0
r8.0.13-rc1
r8.0.13-rc2
r8.0.14
r8.0.14-rc0
r8.0.14-rc1
r8.0.16
r8.0.16-rc0
r8.0.16-rc1
r8.0.17-alpha0
r8.0.2
r8.0.3
r8.0.4
r8.0.4-rc0
r8.0.5
r8.0.5-rc0
r8.0.5-rc1
r8.0.5-rc2
r8.0.6
r8.2.0
r8.2.1
r8.2.1-rc0
r8.2.1-rc1
r8.2.2
r8.2.2-rc0
r8.2.3-alpha0
r8.2.4-alpha0
r8.2.4-alpha1
r8.3.0

Database specific

vanir_signatures
[
    {
        "source": "https://github.com/mongodb/mongo/commit/1e3c7c32cb8246028ecc02d1d4b6c6c1f70ba429",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "328502844643021291939386328423142806983",
                "85739572630903537909444397421191965062",
                "220106585106022402331435815346987584900",
                "209454881083987832169278606524251629464",
                "236513909239447700438713678376380667808"
            ]
        },
        "id": "CVE-2026-9753-1720b4a5",
        "signature_type": "Line",
        "target": {
            "file": "src/mongo/db/query/write_ops/write_ops_exec_test.cpp"
        }
    },
    {
        "source": "https://github.com/mongodb/mongo/commit/1e3c7c32cb8246028ecc02d1d4b6c6c1f70ba429",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "166907568856978077527464439951043576997",
            "length": 803.0
        },
        "id": "CVE-2026-9753-177973cb",
        "signature_type": "Function",
        "target": {
            "function": "validateRequestForAPIVersion",
            "file": "src/mongo/db/pipeline/aggregation_request_helper.cpp"
        }
    },
    {
        "source": "https://github.com/mongodb/mongo/commit/1e3c7c32cb8246028ecc02d1d4b6c6c1f70ba429",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "80993861282303540082374336386478101984",
            "length": 2466.0
        },
        "id": "CVE-2026-9753-1c4c4408",
        "signature_type": "Function",
        "target": {
            "function": "TEST_F",
            "file": "src/mongo/db/query/write_ops/write_ops_exec_test.cpp"
        }
    },
    {
        "source": "https://github.com/mongodb/mongo/commit/ef9b301aabaadf6850a065ac7fcd6b327be8c3c2",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "174998403124653740785832338368523143456",
                "195597813628417826792599755283872434533",
                "35121533934985493290280581719442999597",
                "250189946382220132725671125359187123104",
                "335422712820504450491531006393880496577",
                "20005679044720583151091149993640543000",
                "275057660019837301573080575671581138841",
                "118703497020578914518273191703017441490",
                "7783128965371646123963090736034524757",
                "97370122612351530264443556156513731532",
                "73781963797617986215115702098958022004",
                "273958897543711387616670573192535233890",
                "19835129639943419341267922366511847573"
            ]
        },
        "id": "CVE-2026-9753-37a42e90",
        "signature_type": "Line",
        "target": {
            "file": "src/mongo/util/net/openssl_init.cpp"
        }
    },
    {
        "source": "https://github.com/mongodb/mongo/commit/065930ba70a49b0347dc5b8f0c04851770a68af2",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "33576969391667528712105414855855095210",
            "length": 1759.0
        },
        "id": "CVE-2026-9753-3818d52e",
        "signature_type": "Function",
        "target": {
            "function": "_speculateSaslStart",
            "file": "src/mongo/client/authenticate.cpp"
        }
    },
    {
        "source": "https://github.com/mongodb/mongo/commit/1e3c7c32cb8246028ecc02d1d4b6c6c1f70ba429",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "139003973651184330825232460885165143342",
                "326327286876524191664573910910733841197",
                "201010144386666100831709597301329867408",
                "238172519026952072388623448764090946616",
                "150530340747984040105585632915270331658",
                "261001565073159049059253410734251117508",
                "301554335781787585942024321791597726223",
                "68687955472087118704060565545473008431",
                "189907234794602120716515394122932582079",
                "109319411453406127717474571158384123372"
            ]
        },
        "id": "CVE-2026-9753-60a52bfd",
        "signature_type": "Line",
        "target": {
            "file": "src/mongo/db/pipeline/variables.cpp"
        }
    },
    {
        "source": "https://github.com/mongodb/mongo/commit/1e3c7c32cb8246028ecc02d1d4b6c6c1f70ba429",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "201630955409724750278170577941240966804",
                "143314775941851585133796736215278774546",
                "83793512496032093979220562351551591094",
                "45450630048429459114369538718073463549",
                "31272677362475748439578075055985933301",
                "41202910159203610737232058278783453941",
                "335034453997521887169494091237162080241",
                "91747350517002491231927320071107484682",
                "315547871431241435455883696545867605802"
            ]
        },
        "id": "CVE-2026-9753-71b2e2de",
        "signature_type": "Line",
        "target": {
            "file": "src/mongo/db/query/write_ops/write_ops.cpp"
        }
    },
    {
        "source": "https://github.com/mongodb/mongo/commit/1e3c7c32cb8246028ecc02d1d4b6c6c1f70ba429",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "215007885188677139124391370534346903790",
            "length": 1368.0
        },
        "id": "CVE-2026-9753-78addba3",
        "signature_type": "Function",
        "target": {
            "function": "Variables::transitionalExtractRuntimeConstants",
            "file": "src/mongo/db/pipeline/variables.cpp"
        }
    },
    {
        "source": "https://github.com/mongodb/mongo/commit/1e3c7c32cb8246028ecc02d1d4b6c6c1f70ba429",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "314763807676857937631086388324992689162",
            "length": 992.0
        },
        "id": "CVE-2026-9753-7cd175d0",
        "signature_type": "Function",
        "target": {
            "function": "estimateRuntimeConstantsSize",
            "file": "src/mongo/db/query/write_ops/write_ops.cpp"
        }
    },
    {
        "source": "https://github.com/mongodb/mongo/commit/065930ba70a49b0347dc5b8f0c04851770a68af2",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "105051277585384029869713401387324710299",
                "135010353328424632509818700676883262741",
                "230022231509017531526336883388413859957",
                "21785236440502061071534570285577718704",
                "314611412092879437439966455802374359968",
                "4328176094298166889601989525363512001",
                "89833129311893956686513176585485383462",
                "67104821923433815313850425352519867386",
                "66993897057338546953195861906592522514",
                "41622748248584985132494531963597557744",
                "242973420897860388216828233337695113596",
                "336731002354755517834207641772257008949",
                "64002474223761432976487321914411588332",
                "261309617626622354563994167105861925016",
                "229808833034910568928737793619657257065",
                "327973055814987959560058864332639589393",
                "331230983148226970461307129171652554653",
                "194280706403459704585085037893015299868",
                "132169427929260727166827845414640998831",
                "263821533391834434161668531794875587617",
                "231008637408865177850436966867033654335",
                "131209670928832011957508828184726650364",
                "64002474223761432976487321914411588332",
                "261309617626622354563994167105861925016",
                "152599178162463674149335674778053474470",
                "82317842280543420915626715536098646954",
                "89485288152782603664608867313022701634",
                "201049280170827963568948467383659578170",
                "186915239712986481660363218458077044420",
                "81595865256585900407563580384512090789",
                "89485288152782603664608867313022701634",
                "201049280170827963568948467383659578170"
            ]
        },
        "id": "CVE-2026-9753-80a3d3f5",
        "signature_type": "Line",
        "target": {
            "file": "src/mongo/client/authenticate.cpp"
        }
    },
    {
        "source": "https://github.com/mongodb/mongo/commit/1e3c7c32cb8246028ecc02d1d4b6c6c1f70ba429",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "199277108881247090008089064970489480756",
                "262659735080644839981408736376524170838",
                "184199251189374183021798221865414612859",
                "189687695048587286787935123825246628451"
            ]
        },
        "id": "CVE-2026-9753-815d545c",
        "signature_type": "Line",
        "target": {
            "file": "src/mongo/db/pipeline/aggregation_request_helper.cpp"
        }
    },
    {
        "source": "https://github.com/mongodb/mongo/commit/065930ba70a49b0347dc5b8f0c04851770a68af2",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "20399944836295365806244165546970965254",
            "length": 2313.0
        },
        "id": "CVE-2026-9753-99e1e8a5",
        "signature_type": "Function",
        "target": {
            "function": "saslClientAuthenticateImpl",
            "file": "src/mongo/client/sasl_client_authenticate_impl.cpp"
        }
    },
    {
        "source": "https://github.com/mongodb/mongo/commit/065930ba70a49b0347dc5b8f0c04851770a68af2",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "119297248915920219031821473937269301824",
                "192950127050229143070957758609674490481",
                "299256134244687864194021167969650322418",
                "78705388978130039955877200458257143577",
                "321869386180767067962050016171660673429",
                "92304406178298145235033043329826640960",
                "203486625542267065639036914103785025824",
                "101091632339192440179784421579332741865",
                "121174813050634776452676460079189488323",
                "128019987876497809896042531600850302807",
                "254894470578114612803585286215406515998",
                "214382625466148222914899976163699517733",
                "190404496706438243159513143102836777584",
                "56154081985503966229462899327055184543",
                "208419707775319461290978685733013608031",
                "112980909939898786886727276248725730797",
                "125593633845177966189813606560474867521",
                "171922900114146216740577553907126530807",
                "101091632339192440179784421579332741865",
                "264963333426305115134532843740947636372",
                "89987837705424899310632089922787348176",
                "57891838713164422666568581445619931080",
                "60290105400638828282268502673375231284",
                "142183950137575110969330755820960546057",
                "56154081985503966229462899327055184543",
                "208419707775319461290978685733013608031"
            ]
        },
        "id": "CVE-2026-9753-bae78291",
        "signature_type": "Line",
        "target": {
            "file": "src/mongo/client/sasl_client_authenticate_impl.cpp"
        }
    },
    {
        "source": "https://github.com/mongodb/mongo/commit/065930ba70a49b0347dc5b8f0c04851770a68af2",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "45101164990253539481215998889390091905",
            "length": 1778.0
        },
        "id": "CVE-2026-9753-e4b18909",
        "signature_type": "Function",
        "target": {
            "function": "authX509",
            "file": "src/mongo/client/authenticate.cpp"
        }
    }
]
vanir_signatures_modified
"2026-07-15T19:06:44Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-9753.json"