CVE-2026-9752
Received Received - Intake
MongoDB Server Crash via GeometryCollection with Strict-Winding Polygon

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: MongoDB, Inc.

Description
An authorized user could trigger a server crash by running a query with a 2dsphere index on a field that stores a GeoJSON GeometryCollection containing a Polygon with a strict-winding CRS. Strict-winding polygons are intentionally unsupported for indexing, but the guard that rejects them does not inspect members of a GeometryCollection, allowing the unsafe path to be reached which ends with an ensuing null-pointer dereference.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-9752
EUVD
EUVD-2026-35851
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mongodb mongodb *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs when an authorized user runs a query using a 2dsphere index on a field that contains a GeoJSON GeometryCollection with a Polygon that has a strict-winding Coordinate Reference System (CRS).

Strict-winding polygons are not supported for indexing, but the system's check that rejects these polygons does not examine the individual members inside a GeometryCollection. This oversight allows the unsafe code path to be executed, which ultimately leads to a null-pointer dereference and causes the server to crash.

Impact Analysis

The primary impact of this vulnerability is that an authorized user can cause the server to crash by exploiting the issue with the 2dsphere index and strict-winding polygons inside a GeometryCollection.

This can lead to denial of service (DoS), disrupting availability of the database service and potentially affecting applications relying on it.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9752. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart