CVE-2026-9748: CWE-617 Reachable assertion in MongoDB MongoDB Server
The $_internalConvertBucketIndexStats stage used PauseExecution as a way to signal "skip this document" when an index stats conversion failed. But PauseExecution is not a general purpose skip mechanism, but rather a TeeBuffer-internal signal used solely by $facet to coordinate its sub-pipelines. When this stage is placed before $facet in a pipeline, TeeBuffer receives the unexpected PauseExecution from upstream and hits a hard invariant assertion, crashing mongod.
AI Analysis
Technical Summary
The vulnerability arises because the $_internalConvertBucketIndexStats stage uses PauseExecution as a signal to skip documents when index stats conversion fails. However, PauseExecution is intended only as an internal signal for $facet sub-pipeline coordination. If $_internalConvertBucketIndexStats precedes $facet in a pipeline, TeeBuffer receives an unexpected PauseExecution signal, triggering a reachable assertion failure (CWE-617) that crashes the MongoDB server process (mongod). This affects MongoDB Server versions 7.0.0, 8.0.0, 8.2.0, and 8.3.0.
Potential Impact
Successful exploitation causes the mongod process to crash due to a reachable assertion failure, resulting in a denial of service condition. There is no indication of data corruption or unauthorized access from the provided data. The CVSS 4.0 base score is 7.1, indicating high severity with network attack vector, low attack complexity, and no user interaction required.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary workaround is provided in the available data. Until a patch is released, avoid constructing aggregation pipelines where the $_internalConvertBucketIndexStats stage precedes a $facet stage to prevent triggering the assertion failure.
CVE-2026-9748: CWE-617 Reachable assertion in MongoDB MongoDB Server
Description
The $_internalConvertBucketIndexStats stage used PauseExecution as a way to signal "skip this document" when an index stats conversion failed. But PauseExecution is not a general purpose skip mechanism, but rather a TeeBuffer-internal signal used solely by $facet to coordinate its sub-pipelines. When this stage is placed before $facet in a pipeline, TeeBuffer receives the unexpected PauseExecution from upstream and hits a hard invariant assertion, crashing mongod.
CVSS v4.0
Score 7.1high
Affected software
pkg:github/mongodb/mongoRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises because the $_internalConvertBucketIndexStats stage uses PauseExecution as a signal to skip documents when index stats conversion fails. However, PauseExecution is intended only as an internal signal for $facet sub-pipeline coordination. If $_internalConvertBucketIndexStats precedes $facet in a pipeline, TeeBuffer receives an unexpected PauseExecution signal, triggering a reachable assertion failure (CWE-617) that crashes the MongoDB server process (mongod). This affects MongoDB Server versions 7.0.0, 8.0.0, 8.2.0, and 8.3.0.
Potential Impact
Successful exploitation causes the mongod process to crash due to a reachable assertion failure, resulting in a denial of service condition. There is no indication of data corruption or unauthorized access from the provided data. The CVSS 4.0 base score is 7.1, indicating high severity with network attack vector, low attack complexity, and no user interaction required.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary workaround is provided in the available data. Until a patch is released, avoid constructing aggregation pipelines where the $_internalConvertBucketIndexStats stage precedes a $facet stage to prevent triggering the assertion failure.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mongodb
- Date Reserved
- 2026-05-27T17:47:07.609Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2892f48dd33fbd858e3b44
Added to database: 6/9/2026, 10:25:56 PM
Last enriched: 6/9/2026, 10:40:52 PM
Last updated: 6/13/2026, 6:20:53 AM
Views: 25
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.