CVE-2026-4358 in Server
Summary
by MITRE • 03/17/2026
A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory issue in the slot-based execution (SBE) engine when an in-memory hash table is spilled to disk.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/21/2026
This vulnerability resides within the mongodb database system and represents a critical memory safety issue that can be exploited through crafted aggregation operations. The flaw specifically affects the slot-based execution engine which is responsible for processing complex aggregation pipelines. When an authenticated user with write privileges executes a carefully constructed $lookup operation, the system's memory management becomes compromised due to improper handling of in-memory hash table spill operations to disk storage. The vulnerability manifests as either a double-free condition or use-after-free scenario, both of which represent severe memory corruption issues that can lead to arbitrary code execution or system instability. The SBE engine's memory management logic fails to properly track and release memory resources when hash table data structures are moved from memory to disk storage during aggregation processing. This issue demonstrates a fundamental flaw in how the database engine manages memory lifecycle during complex query execution scenarios.
The technical exploitation of this vulnerability requires an authenticated user with write permissions to the database, which significantly reduces the attack surface compared to privilege escalation issues. However, the impact remains severe as it can be leveraged to cause denial of service conditions or potentially execute arbitrary code on the database server. The memory corruption occurs specifically during the spill-to-disk operation when the SBE engine attempts to manage hash table data structures that have exceeded available memory capacity. This process involves complex memory allocation and deallocation sequences that become corrupted when the system attempts to handle the transition from in-memory to disk-based storage. The vulnerability is particularly dangerous because it can be triggered through legitimate database operations, making detection and prevention challenging for administrators.
The operational impact of this vulnerability extends beyond simple system crashes or performance degradation. Organizations running mongodb instances may experience unexpected service interruptions, data corruption, or potential privilege escalation scenarios that could compromise entire database environments. The vulnerability affects database systems that utilize the SBE engine for processing aggregation operations, which represents a significant portion of modern mongodb deployments. Attackers could potentially exploit this issue to gain unauthorized access to database resources or cause widespread service disruption across multiple database instances. The memory corruption issues could also lead to data integrity problems where database transactions become corrupted or lost during the execution of maliciously crafted aggregation queries.
Mitigation strategies should focus on immediate patching of affected mongodb versions and implementation of strict access controls to limit write privileges to only trusted users. Database administrators should implement monitoring solutions to detect unusual aggregation query patterns that might indicate exploitation attempts. The recommended approach includes upgrading to patched versions of mongodb that address the memory management issues in the SBE engine, implementing network segmentation to limit database access, and establishing comprehensive logging of aggregation operations. Additionally, organizations should consider implementing database firewalls or query filtering mechanisms that can detect and block suspicious $lookup operations. This vulnerability aligns with CWE-415 and CWE-416 categories related to double free and use-after-free conditions, and represents a significant concern for ATT&CK technique T1059.002 related to command and scripting interpreter usage for exploitation.