Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:H/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A use-after-free vulnerability exists in MongoDB's Field-Level Encryption (FLE) query analysis component, affecting client-side uses of mongocryptd and crypt_shared. Triggering this vulnerability requires control over the structure of a client's FLE-related query.
This issue impacts MongoDB Server’s mongocryptd component v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
AnalysisAI
Use-after-free in MongoDB Server's Field-Level Encryption query analysis component allows authenticated remote attackers with control over FLE query structure to cause information disclosure and denial of service. The vulnerability affects mongocryptd and crypt_shared in versions 7.0 prior to 7.0.34, 8.0 prior to 8.0.23, 8.2 prior to 8.2.9, and 8.3 prior to 8.3.2. No public exploit code identified at time of analysis.
Technical ContextAI
MongoDB's Field-Level Encryption (FLE) provides client-side encryption of sensitive data before transmission to the database. The mongocryptd daemon and crypt_shared library handle query analysis and encryption/decryption operations on the client side. The vulnerability is a use-after-free defect (CWE-416) in the FLE query analysis component, where memory is referenced after being freed. This typically occurs when pointer management fails to track object lifecycle correctly, allowing subsequent operations to access dangling references. An authenticated attacker controlling the structure of FLE-related queries can craft payloads that trigger improper memory reuse, potentially leading to information disclosure through memory corruption or service interruption.
RemediationAI
Upgrade MongoDB Server to patched versions: 7.0.34 or later, 8.0.23 or later, 8.2.9 or later, or 8.3.2 or later. Organizations unable to patch immediately should implement access controls restricting authenticated users who can submit FLE queries to trusted applications only, reducing the attack surface by limiting who can control query structure. Disable Field-Level Encryption on client instances if the feature is not required for the application's use case-this eliminates exposure entirely but may impact data protection strategy. Monitor applications for unusual memory-related errors or crashes correlated with FLE query patterns. These compensating controls trade functionality (encryption availability or user flexibility) against reduced risk exposure until patching is feasible.
More in Mongodb Server
View allOut-of-bounds memory write in MongoDB Server's time-series collection feature enables arbitrary code execution by authen
MongoDB Server sharded clusters are vulnerable to use-after-free memory corruption when authenticated users with read pe
Remote unauthenticated denial-of-service in MongoDB Server's BSON validation layer allows attackers to crash the mongod
Pre-authentication denial-of-service in MongoDB Server allows unauthenticated remote clients to crash the database proce
Authenticated users can crash MongoDB Server by chaining specific server-side JavaScript operations ($_internalJsEmit or
Memory disclosure and denial-of-service in MongoDB Server allows any authenticated user with aggregate command privilege
MongoDB Server exposes an availability and data integrity risk allowing any low-privileged authenticated user to crash t
Remote denial-of-service in MongoDB Server allows an authenticated user to crash the mongod process by submitting an agg
Denial of service in MongoDB Server allows an authenticated user to crash the database process by issuing a geospatial q
Denial of service in MongoDB Server 8.0 allows authenticated users with aggregation pipeline privileges to crash the ser
Denial of service in MongoDB Server allows authenticated users to trigger an assertion failure by running aggregation pi
Denial of service in MongoDB Server allows authenticated remote attackers to crash the database process by submitting ag
Same weakness CWE-416 – Use After Free
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29892
GHSA-r8cx-9wfm-r3m7