{"id":"CVE-2026-4147","summary":"Stack memory disclosure in filemd5 command","details":"An authenticated user with the read role may read limited amounts of uninitialized stack memory via specially-crafted issuances of the filemd5 command.","aliases":["BIT-mongodb-2026-4147"],"modified":"2026-07-15T02:19:53.750823185Z","published":"2026-03-17T15:50:21.888Z","database_specific":{"cwe_ids":["CWE-457"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/4xxx/CVE-2026-4147.json","unresolved_ranges":[{"extracted_events":[{"introduced":"8.2"},{"fixed":"8.2.6"},{"introduced":"8.0"},{"fixed":"8.0.20"},{"introduced":"7.0"},{"fixed":"7.0.31"}],"source":"AFFECTED_FIELD"}],"cna_assigner":"mongodb"},"references":[{"type":"WEB","url":"https://jira.mongodb.org/browse/SERVER-119317"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/4xxx/CVE-2026-4147.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4147"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mongodb/mongo","events":[{"introduced":"37d84072b5c5b9fd723db5fa133fb202ad2317f1"},{"fixed":"ef9c90f7aba16cf5906f8665bb479f89c5aa4a2b"},{"introduced":"b41cda4fe697dce6fd9b83b3805362ccc02fbeb3"},{"fixed":"05009bb976757189fd9bff4cebc5d803a6737a95"},{"introduced":"b993867dce63dd366cd93e60f3f425ed716f6497"},{"fixed":"32a732a9b646200050bedd569d0e18fda534f92c"},{"introduced":"f363edefb03efa1e3e012d90aea1494c7770e8cc"},{"last_affected":"1bda66fa506b02978894c9a81f1821f3c0590507"}],"database_specific":{"extracted_events":[{"introduced":"7.0.0"},{"fixed":"7.0.31"},{"introduced":"8.0.0"},{"fixed":"8.0.20"},{"introduced":"8.2.0"},{"fixed":"8.2.6"},{"introduced":"8.3.0-alpha0"},{"last_affected":"8.3.0-alpha0"},{"introduced":"8.3.0-alpha1"},{"last_affected":"8.3.0-alpha1"},{"introduced":"8.3.0-alpha2"},{"last_affected":"8.3.0-alpha2"},{"introduced":"8.3.0-alpha3"},{"last_affected":"8.3.0-alpha3"},{"introduced":"8.3.0-rc1"},{"last_affected":"8.3.0-rc1"}],"source":["CPE_RANGE","CPE_STRING"],"cpe":["cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*","cpe:2.3:a:mongodb:mongodb:8.3.0:alpha0:*:*:-:*:*:*","cpe:2.3:a:mongodb:mongodb:8.3.0:alpha1:*:*:-:*:*:*","cpe:2.3:a:mongodb:mongodb:8.3.0:alpha2:*:*:-:*:*:*","cpe:2.3:a:mongodb:mongodb:8.3.0:alpha3:*:*:-:*:*:*","cpe:2.3:a:mongodb:mongodb:8.3.0:rc1:*:*:-:*:*:*"]}}],"versions":["8.3.0-alpha0","8.3.0-alpha1","8.3.0-alpha2","8.3.0-alpha3","8.3.0-rc1","r8.3.0-rc1","r8.3.0-rc0","r8.3.0-alpha3","r8.3.0-alpha2","r8.3.0-alpha1","r8.2.4-alpha1","r8.2.4-alpha0","r7.0.27-rc0","r7.0.27","r8.0.17-alpha0","r8.0.16-rc1","r8.0.16","r7.0.27-alpha0","r7.0.26-rc0","r7.0.26","r8.2.3-alpha0","r8.2.2-rc0","r8.2.2","r8.0.16-rc0","r8.0.14-rc1","r8.0.14","r7.0.24-rc0","r7.0.24","r8.2.1-rc1","r8.2.1","r8.2.1-rc0","r7.0.25-alpha0","r8.0.14-rc0","r8.2.0","r8.0.13-rc2","r8.0.13","r8.0.13-rc1","r8.0.13-rc0","r7.0.23-rc1","r7.0.23","r7.0.23-rc0","r8.3.0-alpha0","r7.0.22-rc0","r7.0.22","r8.0.12-rc0","r8.0.12","r8.0.10-rc0","r8.0.10","r7.0.21-rc0","r7.0.21","r7.0.21-alpha0","r7.0.18","r8.0.6","r7.0.17","r8.0.5-rc2","r8.0.5","r8.0.5-rc1","r8.0.5-rc0","r7.0.16-rc1","r7.0.16-rc0","r7.0.16","r8.0.4-rc0","r8.0.4","r7.0.15","r8.0.3","r8.0.2","r7.0.15-rc1","r7.0.15-rc0","r8.0.1-rc0","r8.0.1","r8.0.0","r7.0.14-rc0","r7.0.14","r7.0.13-rc1","r7.0.13","r7.0.13-rc0","r7.0.12-rc1","r7.0.12","r7.0.12-rc0","r7.0.11-rc2","r7.0.11","r7.0.11-rc1","r7.0.11-rc0","r7.0.10-rc0","r7.0.10","r7.0.9-rc1","r7.0.9","r7.0.9-rc0","r7.0.8-rc0","r7.0.8","r7.0.7-rc2","r7.0.7","r7.0.7-rc1","r7.0.7-rc0","r7.0.6-rc0","r7.0.6","r7.0.5-rc0","r7.0.5","r7.0.4-rc0","r7.0.4","r7.0.3-rc1","r7.0.3","r7.0.3-rc0","r7.0.2-rc2","r7.0.2","r7.0.2-rc1","r7.0.2-rc0","r7.0.1-rc0","r7.0.1","r7.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-4147.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}]}