Server Crash Vulnerability in MongoDB Due to GeoJSON GeometryCollection Issue
CVE-2026-9752
7.1HIGH
What is CVE-2026-9752?
A vulnerability exists in MongoDB that allows an authorized user to trigger a server crash by executing a query utilizing a 2dsphere index on a field containing a GeoJSON GeometryCollection. Specifically, this occurs when the GeometryCollection includes a Polygon with a strict-winding Coordinate Reference System (CRS). Although strict-winding polygons are not meant to be indexed, the protective mechanism that prevents their use fails to examine the contents of a GeometryCollection. This oversight can lead to an invalid access pattern, resulting in a null-pointer dereference that crashes the server.
Affected Version(s)
MongoDB Server 8.3.0 < 8.3.3
MongoDB Server 8.2.0 < 8.2.10
MongoDB Server 8.0.0 < 8.0.24