{"id":"CVE-2026-4358","summary":"Memory safety issues in slot-based execution hash table spill","details":"A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory issue in the slot-based execution (SBE) engine when an in-memory hash table is spilled to disk.","aliases":["BIT-mongodb-2026-4358"],"modified":"2026-07-15T21:57:36.022917Z","published":"2026-03-17T19:00:07.518Z","database_specific":{"cna_assigner":"mongodb","cwe_ids":["CWE-415"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/4xxx/CVE-2026-4358.json","unresolved_ranges":[{"extracted_events":[{"introduced":"8.2"},{"fixed":"8.2.6"},{"introduced":"8.0"},{"fixed":"8.0.20"},{"introduced":"7.0"},{"fixed":"7.0.31"}],"source":"AFFECTED_FIELD"}]},"references":[{"type":"WEB","url":"https://jira.mongodb.org/browse/SERVER-118849"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/4xxx/CVE-2026-4358.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4358"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mongodb/mongo","events":[{"introduced":"37d84072b5c5b9fd723db5fa133fb202ad2317f1"},{"fixed":"ef9c90f7aba16cf5906f8665bb479f89c5aa4a2b"},{"introduced":"b41cda4fe697dce6fd9b83b3805362ccc02fbeb3"},{"fixed":"05009bb976757189fd9bff4cebc5d803a6737a95"},{"introduced":"b993867dce63dd366cd93e60f3f425ed716f6497"},{"fixed":"32a732a9b646200050bedd569d0e18fda534f92c"}],"database_specific":{"cpe":"cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*","extracted_events":[{"introduced":"7.0.0"},{"fixed":"7.0.31"},{"introduced":"8.0.0"},{"fixed":"8.0.20"},{"introduced":"8.2.0"},{"fixed":"8.2.6"}],"source":"CPE_RANGE"}}],"versions":["r8.2.4-alpha1","r8.2.4-alpha0","r7.0.27-rc0","r7.0.27","r8.0.17-alpha0","r8.0.16-rc1","r8.0.16","r7.0.27-alpha0","r7.0.26-rc0","r7.0.26","r8.2.3-alpha0","r8.2.2-rc0","r8.2.2","r8.0.16-rc0","r8.0.14-rc1","r8.0.14","r7.0.24-rc0","r7.0.24","r8.2.1-rc1","r8.2.1","r8.2.1-rc0","r7.0.25-alpha0","r8.0.14-rc0","r8.2.0","r8.0.13-rc2","r8.0.13","r8.0.13-rc1","r8.0.13-rc0","r7.0.23-rc1","r7.0.23","r7.0.23-rc0","r7.0.22-rc0","r7.0.22","r8.0.12-rc0","r8.0.12","r8.0.10-rc0","r8.0.10","r7.0.21-rc0","r7.0.21","r7.0.21-alpha0","r7.0.18","r8.0.6","r7.0.17","r8.0.5-rc2","r8.0.5","r8.0.5-rc1","r8.0.5-rc0","r7.0.16-rc1","r7.0.16-rc0","r7.0.16","r8.0.4-rc0","r8.0.4","r7.0.15","r8.0.3","r8.0.2","r7.0.15-rc1","r7.0.15-rc0","r8.0.1-rc0","r8.0.1","r8.0.0","r7.0.14-rc0","r7.0.14","r7.0.13-rc1","r7.0.13","r7.0.13-rc0","r7.0.12-rc1","r7.0.12","r7.0.12-rc0","r7.0.11-rc2","r7.0.11","r7.0.11-rc1","r7.0.11-rc0","r7.0.10-rc0","r7.0.10","r7.0.9-rc1","r7.0.9","r7.0.9-rc0","r7.0.8-rc0","r7.0.8","r7.0.7-rc2","r7.0.7","r7.0.7-rc1","r7.0.7-rc0","r7.0.6-rc0","r7.0.6","r7.0.5-rc0","r7.0.5","r7.0.4-rc0","r7.0.4","r7.0.3-rc1","r7.0.3","r7.0.3-rc0","r7.0.2-rc2","r7.0.2","r7.0.2-rc1","r7.0.2-rc0","r7.0.1-rc0","r7.0.1","r7.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-4358.json","vanir_signatures_modified":"2026-07-15T21:57:36Z","vanir_signatures":[{"signature_type":"Line","signature_version":"v1","source":"https://github.com/mongodb/mongo/commit/32a732a9b646200050bedd569d0e18fda534f92c","target":{"file":"src/mongo/util/md5.cpp"},"deprecated":false,"digest":{"line_hashes":["212916051933611333336019566765871154533","127072531193682496647404363037825275968","82618083542634382065142722552922596523","4324924340243736427572372707787432252"],"threshold":0.9},"id":"CVE-2026-4358-074a18d5"},{"signature_version":"v1","source":"https://github.com/mongodb/mongo/commit/05009bb976757189fd9bff4cebc5d803a6737a95","target":{"file":"src/mongo/util/md5.cpp"},"deprecated":false,"digest":{"line_hashes":["243049191849363753065600341015684019120","312131738472726656287569917628189519640","269011836439409954144825691130893251414","261701652252642430706775392390697022443"],"threshold":0.9},"id":"CVE-2026-4358-1abd9456","signature_type":"Line"},{"source":"https://github.com/mongodb/mongo/commit/05009bb976757189fd9bff4cebc5d803a6737a95","target":{"file":"src/mongo/util/md5.cpp","function":"md5_init"},"deprecated":false,"digest":{"function_hash":"22528191371751663195701634984920870034","length":244},"id":"CVE-2026-4358-3141a725","signature_type":"Function","signature_version":"v1"},{"target":{"file":"src/mongo/util/md5.cpp","function":"md5_init_state"},"deprecated":false,"digest":{"function_hash":"253896680426164393151009864932457722232","length":57},"id":"CVE-2026-4358-de078695","signature_type":"Function","signature_version":"v1","source":"https://github.com/mongodb/mongo/commit/32a732a9b646200050bedd569d0e18fda534f92c"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"}]}