Cyber Resilience

CVE-2026-4358

MediumPublic PoC

Published: 17 March 2026

Published
17 March 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score v4 6.1 CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 12.7th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4358 is a medium-severity Double Free (CWE-415) vulnerability in Mongodb Mongodb. Its CVSS base score is 6.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-4358, published on 2026-03-17, is a double-free or use-after-free memory vulnerability (CWE-415) in MongoDB's slot-based execution (SBE) engine. The issue arises when an authenticated user with write privileges executes a specially crafted aggregation query using the $lookup operator, causing an in-memory hash table to spill to disk and triggering the memory corruption.

An attacker requires low privileges as an authenticated user with write access to exploit this vulnerability over the network (AV:N), though it demands high attack complexity (AC:H) with no user interaction (UI:N) and no scope change (S:U). Successful exploitation yields low confidentiality (C:L) and integrity (I:L) impacts alongside high availability (A:H) impact, per its CVSS v3.1 score of 6.4, potentially enabling denial-of-service through memory corruption.

Mitigation details are documented in the MongoDB JIRA advisory at https://jira.mongodb.org/browse/SERVER-118849.

EU & UK References

Vulnerability details

A specially crafted aggregation query with $lookup by an authenticated user with write privileges can cause a double-free or use-after-free memory issue in the slot-based execution (SBE) engine when an in-memory hash table is spilled to disk.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE describes remote exploitation of a memory corruption flaw in MongoDB (public-facing DB service) via crafted aggregation queries, directly enabling application DoS through exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1848Same product: Mongodb Mongodb
CVE-2026-1847Same product: Mongodb Mongodb
CVE-2025-14847Same product: Mongodb Mongodb
CVE-2026-1850Same product: Mongodb Mongodb
CVE-2026-8336Same product: Mongodb Mongodb
CVE-2026-1849Same product: Mongodb Mongodb
CVE-2026-8053Same product: Mongodb Mongodb
CVE-2026-4148Same product: Mongodb Mongodb
CVE-2026-8201Same product: Mongodb Mongodb
CVE-2025-0755Same product: Mongodb Mongodb

Affected Assets

mongodb
mongodb
7.0.0 — 7.0.31 · 8.0.0 — 8.0.20 · 8.2.0 — 8.2.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the double-free/use-after-free vulnerability in MongoDB's SBE engine by requiring identification, prioritization, and patching of the specific flaw.

prevent

Implements memory protection mechanisms such as non-executable memory and address space randomization to mitigate exploitation of the use-after-free and double-free memory corruption during hash table spills.

prevent

Enforces least privilege to limit write access, reducing the attack surface for authenticated users who could execute the specially crafted $lookup aggregation query.

References