This vulnerability (CVE-2026-8336) is a use-after-free issue (CWE-416) in MongoDB Server's handling of certain server-side JavaScript execution paths. Specifically, after invoking the internal function $_internalJsEmit or the mapreduce map function in a certain manner, subsequent use of server-side JavaScript features like $where, $function, or the mapreduce reduce stage can cause the mongod process to crash. The flaw requires authenticated access and affects multiple MongoDB Server versions before the specified patched releases. The CVSS 4.0 base score is 7.7, indicating a high severity due to network attack vector, partial complexity, and significant impact on confidentiality, integrity, and availability.

An authenticated user can exploit this vulnerability to cause a denial-of-service by crashing the mongod process, resulting in service disruption. There is no indication of remote code execution or data corruption beyond the DoS impact. The vulnerability affects multiple recent MongoDB Server versions prior to the fixed releases.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The affected versions are listed, but no explicit patch or official fix information is provided in the available data. Until a patch is confirmed, avoid using the $_internalJsEmit function directly and exercise caution with server-side JavaScript features such as $where, $function, and mapreduce commands in environments where authenticated users have access. Monitor MongoDB's official advisories for updates and apply patches promptly once available.