Introduction
A single unauthenticated network packet can crash a MongoDB Server process, and the server's own recursion guard is powerless to stop it. CVE-2026-9740 exploits a flaw in how MongoDB's BSON validator tracks recursion depth across mutually recursive function calls, allowing an attacker to exhaust the call stack and terminate mongod before authentication ever takes place.
This vulnerability lands in a context that makes it particularly noteworthy. MongoDB's wire protocol has been a recurring source of pre-authentication security issues throughout 2025 and 2026, including the actively exploited MongoBleed vulnerability (CVE-2025-14847). With MongoDB ranked among the top five most popular database systems globally and the company reporting $591.4 million in Q2 FY2026 revenue, the potential blast radius of a pre-auth DoS flaw in mongod is substantial. Cato Networks estimated that a related pre-auth DoS vulnerability (CVE-2026-25611) put over 210,000 MongoDB instances at risk.
Technical Information
Root Cause: Mutual Recursion with Depth Counter Reset
BSON (Binary JSON) is MongoDB's primary data serialization format, used for both document storage and the wire protocol that clients use to communicate with the server. Every incoming client message is encoded as a BSON document and must be validated by mongod before any further processing occurs.
The BSON specification supports multiple binary subtypes, some of which can contain embedded BSON documents. When the BSON validator encounters a binary element that itself contains a BSON document, it recursively invokes a validation function. The critical flaw in CVE-2026-9740 is that this recursion is mutual rather than self-referential: one validation function (handling binary data) calls a second validation function (handling document structure), which in turn calls back to the first. This creates a cycle.
MongoDB's BSON validator does include a depth tracking mechanism intended to prevent excessive recursion. However, according to the NVD description, "each re-entry resets internal depth tracking." This means the depth counter is zeroed or re-initialized on each mutual call, effectively negating the stack depth guard. The recursion proceeds unchecked until the process stack is exhausted, resulting in a segfault or stack overflow termination of the mongod process.
This flaw is classified under CWE-674: Uncontrolled Recursion, which MITRE defines as a weakness where "the product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack." CWE-674 notes that the primary consequence is denial of service: "resources including CPU, memory, and stack memory could be rapidly consumed or exhausted, eventually leading to an exit or crash."
CVSS v4.0 Attack Profile
The CNA (MongoDB, Inc.) assessed this vulnerability with a CVSS v4.0 base score of 8.7 (High) using the vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N. The breakdown is as follows:
| CVSS v4 Metric | Value | Meaning |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely over TCP/IP |
| Attack Complexity (AC) | Low | No special conditions required |
| Attack Requirements (AT) | None | No prior access or state needed |
| Privileges Required (PR) | None | No authentication needed |
| User Interaction (UI) | None | No user action needed |
| Vulnerability Availability (VA) | High | Complete server crash |
All confidentiality and integrity impact metrics are None, confirming this is a pure availability impact vulnerability.
Attack Flow
An attacker exploiting CVE-2026-9740 would follow this sequence:
-
Identify a reachable MongoDB instance. The default MongoDB wire protocol port is TCP 27017. No credentials or prior knowledge of the database contents are required.
-
Craft a malicious BSON message. The attacker constructs a BSON document containing nested binary elements with embedded BSON sub-documents. The nesting is structured so that the mutual recursion between the binary validation function and the document validation function cycles repeatedly. Because each re-entry resets the depth counter, the recursion guard never fires.
-
Send the message to the mongod process. The crafted BSON message is sent over the MongoDB wire protocol. BSON validation occurs during the initial message parsing phase, before any authentication or authorization checks.
-
Stack exhaustion and process termination. The mutual recursion consumes stack frames until the process stack is exhausted. The mongod process terminates with a segfault or stack overflow, causing a complete denial of service for all applications depending on that MongoDB instance.
-
Repeated exploitation. If the mongod process is configured to restart automatically (as is common in production deployments), the attacker can repeatedly send the crafted message to keep the service in a crash loop.
Pre-Authentication Attack Surface
The fact that BSON validation occurs before authentication is a critical aspect of this vulnerability. Even MongoDB deployments that enforce strong authentication, TLS, and role-based access control are vulnerable to any attacker who can complete a TCP connection (and, if TLS is required, a TLS handshake) to the mongod port. The authentication check never executes because the process crashes during message parsing.
Relationship to Other BSON and Wire Protocol Vulnerabilities
CVE-2026-9740 fits into a broader pattern of BSON and wire protocol vulnerabilities in MongoDB Server:
| CVE | Type | CWE | Authentication | Impact |
|---|---|---|---|---|
| CVE-2026-9740 | BSON mutual recursion stack overflow | CWE-674 | Pre-auth | mongod crash |
| CVE-2026-6231 | BSON validation bypass (C Driver) | N/A | Post-auth | Malformed data accepted |
| CVE-2026-6914 | BSON MD5 checksum crash | N/A | Post-auth | mongod crash |
| CVE-2026-25611 | Pre-auth memory exhaustion | N/A | Pre-auth | mongod crash |
| CVE-2025-6710 | JSON parsing stack overflow | CWE-674 | Pre-auth | mongod crash |
| CVE-2025-14847 | Zlib compressed header confusion (MongoBleed) | N/A | Pre-auth | Uninitialized heap read |
The recurrence of CWE-674 in both CVE-2026-9740 and CVE-2025-6710 suggests that MongoDB's codebase has insufficient recursion depth controls across multiple input parsing subsystems. The concentration of pre-authentication vulnerabilities in the wire protocol layer indicates a systemic weakness in input validation at the protocol boundary.
CWE-674 Mitigation at the Implementation Level
CWE-674 prescribes specific implementation-level mitigations. The primary fix is to ensure that an end condition is reached under all logic conditions, for instance by explicitly checking the depth of recursion against a safe limit and returning an error if that limit is exceeded. For CVE-2026-9740 specifically, the BSON validator must track depth across mutual recursion boundaries without resetting the counter on re-entry.
CWE-674 documentation explicitly notes that increasing the program stack size is a workaround with only "Limited" effectiveness because it "does not correct the underlying algorithmic flaw" and merely delays the crash at higher nesting depths. These implementation-level fixes are for MongoDB, Inc. to apply in the server code; operators cannot directly implement them.
Affected Systems and Versions
As of the NVD publication date (June 9, 2026), the specific MongoDB Server versions affected by CVE-2026-9740 have not been enumerated in the NVD record, and no patch versions have been identified in available sources. The sole external reference is the MongoDB JIRA issue SERVER-125063, which should contain authoritative version and fix details once updated.
Based on MongoDB's established patching pattern for similar vulnerabilities, the fix will likely be released as patch updates to currently supported release lines (7.0, 8.0, 8.2, and 8.3). For reference, CVE-2025-14847 was patched in MongoDB 8.0.17 and 7.0.28, and CVE-2026-25611 was patched across versions 7.0 through 8.2.4.
Organizations should monitor the MongoDB Alerts page and the SERVER-125063 JIRA issue for the official patch announcement.
Compensating Controls While Awaiting a Patch
While no patch is available, the following compensating controls can reduce exposure:
-
Restrict network access to MongoDB ports. Ensure that TCP port 27017 (and any custom ports) are not exposed to untrusted networks. Use firewall rules or cloud security groups to limit access to known application servers and administrative hosts. The CVSS vector confirms the attack is network-based (AV:N), so network segmentation directly reduces the attack surface.
-
Implement IP allowlisting. MongoDB Atlas and self-managed deployments support IP allowlists. Restricting which source IPs can connect reduces the pool of potential attackers.
-
Deploy connection rate limiting. Rate limiting can help prevent rapid repeated crash-restart cycles if an attacker attempts sustained exploitation.
-
Require TLS. While TLS does not prevent exploitation by an attacker who can complete a TLS handshake, it raises the bar for blind exploitation and may allow network monitoring tools to detect anomalous connection patterns.
Vendor Security History
MongoDB's security track record in 2025 and 2026 reveals a concerning pattern of vulnerabilities in the server's wire protocol parsing layer. The OpenCVE database tracks 151 CVEs associated with the MongoDB vendor.
The most significant recent vulnerability was CVE-2025-14847, dubbed "MongoBleed," disclosed on December 12, 2025. This flaw affected MongoDB Server versions from 3.6 through 8.2 and allowed unauthenticated remote attackers to read uninitialized heap memory due to a mismatch in zlib compressed protocol header length handling. Both Bitsight and Wiz confirmed that CVE-2025-14847 was actively exploited in the wild. The Canadian Centre for Cyber Security issued alert AL25-021 in response. MongoDB patched this in versions 7.0.28, 8.0.17, and 8.2.x.
In February 2026, CVE-2026-25611 introduced another pre-authentication denial of service via memory exhaustion. Cato Networks estimated that over 210,000 MongoDB instances were at risk.
CVE-2025-6710, a JSON parsing stack overflow also classified under CWE-674, demonstrated the same class of uncontrolled recursion flaw in a different parsing subsystem. The recurrence of CWE-674 across multiple components raises questions about whether earlier security audits should have identified the recursion depth reset pattern before it reached production code.
MongoDB, Inc. serves as its own CVE Numbering Authority (CNA), as indicated by the source field [email protected] in the CVE-2026-9740 record. This self-reporting model provides timely disclosure but relies on the vendor's thoroughness in identifying and reporting flaws across its codebase.
The progression from MongoBleed (confirmed exploited, December 2025) to CVE-2026-25611 (February 2026) to CVE-2026-9740 (June 2026) shows an accelerating pace of MongoDB wire protocol vulnerability discovery. Each new pre-auth vulnerability increases the likelihood that threat actors maintain active MongoDB scanning and exploitation tooling.
References
- NVD: CVE-2026-9740
- MongoDB JIRA: SERVER-125063
- MongoDB Alerts
- CWE-674: Uncontrolled Recursion
- CISA Known Exploited Vulnerabilities Catalog
- Bitsight: CVE-2025-14847 MongoDB "MongoBleed"
- Wiz: MongoBleed (CVE-2025-14847) Exploited in the Wild
- Canadian Centre for Cyber Security: AL25-021
- Palo Alto Unit 42: Threat Brief on CVE-2025-14847
- Cato Networks: CVE-2026-25611 MongoDB Vulnerability
- SentinelOne: CVE-2026-25611
- OpenCVE: MongoDB CVEs
- NVD: CVE-2025-14847
- NVD: CVE-2026-6231



