CVE-2026-4358 — Double Free in INC Mongodb Server

CWE-415 — Double Free5 documents5 sources

Severity

6.1MEDIUMNVD

EPSS

0.1%

top 76.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mongodb INC Mongodb Server Mongodb

Timeline

PublishedMar 17

Description

A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory issue in the slot-based execution (SBE) engine when an in-memory hash table is spilled to disk.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

▶NVDmongodb/mongodb7.0.0 — 7.0.31+2

▶CVEListV5mongodb_inc/mongodb_server8.2 — 8.2.6+2

🔴Vulnerability Details

OSV

CVE-2026-4358: A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory iss↗2026-03-17

▶

CVEList

Memory safety issues in slot-based execution hash table spill↗2026-03-17

▶

GHSA

GHSA-64ph-qr47-qxh4: A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory iss↗2026-03-17

▶

🕵️Threat Intelligence

Wiz

CVE-2026-4358 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶