CVE-2026-8199: Memory Exhaustion in MongoDB Server 8.3.2
平台
mongodb
组件
mongodb
修复版本
8.3.2
CVE-2026-8199 describes a vulnerability in MongoDB Server where an authenticated user can trigger excessive memory usage through the use of bitwise match expressions ($bitsAllSet, $bitsAnySet, $bitsAllClear, and $bitsAnyClear). This can lead to memory pressure and potentially a denial-of-service (DoS) condition due to out-of-memory (OOM) errors. This vulnerability affects MongoDB Server versions 7.0.0 through 8.3.2 and has been resolved in version 8.3.2.
影响与攻击场景
The primary impact of CVE-2026-8199 is a denial-of-service. By crafting specific queries utilizing bitwise match expressions, an authenticated user can force the MongoDB server to allocate excessive memory. This can exhaust available resources, leading to performance degradation and ultimately, a crash due to an out-of-memory error. While not directly leading to code execution, the DoS can disrupt critical services and prevent legitimate users from accessing the database. The blast radius is limited to the affected MongoDB server, but the impact can be significant if the server is a critical component of the application infrastructure. This vulnerability highlights the importance of query optimization and resource management within MongoDB deployments.
利用背景
CVE-2026-8199 was published on 2026-05-13. The exploitability is considered medium, as it requires authenticated access and the crafting of specific queries. Currently, no public Proof-of-Concept (POC) exploits are publicly available. The EPSS score is likely to be low to medium, reflecting the DoS impact and the requirement for authenticated access. Refer to the MongoDB security advisory for further details.
威胁情报
漏洞利用状态
CVSS 向量
这些指标意味着什么?
- Attack Vector
- 网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
- Attack Complexity
- 低 — 无需特殊条件,可以稳定地利用漏洞。
- Privileges Required
- 低 — 任何有效用户账户均可。
- User Interaction
- 无 — 攻击自动且无声,受害者无需任何操作。
- Scope
- 未改变 — 影响仅限于脆弱组件本身。
- Confidentiality
- 无 — 无机密性影响。
- Integrity
- 无 — 无完整性影响。
- Availability
- 高 — 完全崩溃或资源耗尽,完全拒绝服务。
受影响的软件
弱点分类 (CWE)
时间线
- 发布日期
缓解措施和替代方案
The recommended mitigation for CVE-2026-8199 is to upgrade to MongoDB Server version 8.3.2 or later. As a temporary workaround, restrict access to the bitwise match expressions to trusted users only. Implement resource limits and monitoring to detect and respond to excessive memory usage. Optimize queries to avoid unnecessary use of bitwise match expressions. Consider using a Web Application Firewall (WAF) to filter potentially malicious queries, although this may not be effective against authenticated users. After upgrading, monitor server resource utilization to ensure the issue is resolved and no excessive memory usage is observed.
修复方法翻译中…
Actualice su instancia de MongoDB Server a la versión 7.0.34, 8.0.23, 8.2.9 o 8.3.2 o superior para mitigar el riesgo de agotamiento de memoria. Esta actualización aborda la vulnerabilidad al corregir el procesamiento de expresiones de coincidencia de bits, previniendo el uso excesivo de memoria y posibles denegaciones de servicio.
常见问题
什么是CVE-2026-8199?
CVE-2026-8199是MongoDB Server中一个漏洞,允许认证用户通过位匹配表达式导致过多的内存使用,可能导致服务中断。
我是否会受到影响?
如果您的MongoDB Server版本在7.0.0到8.3.2之间,则可能受到影响。请立即升级到8.3.2或更高版本。
如何修复?
升级到MongoDB Server 8.3.2或更高版本是修复此漏洞的主要方法。
此漏洞是否正在被利用?
目前没有公开的POC,但建议密切监控。
在哪里可以了解更多信息?
请参阅MongoDB的安全公告和NVD数据库以获取更多详细信息。
立即试用 — 无需账户
上传任何清单文件 (composer.lock, package-lock.json, WordPress 插件列表…) 或粘贴您的组件列表。您立即获得一份漏洞报告。上传文件只是开始:拥有账户后,您将获得持续监控、Slack/电子邮件警报、多项目和白标报告。
拖放您的依赖文件
composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...