CVE-2026-9748: $_internalConvertBucketIndexStats may crash the mongod server when working on no timeseries input
The $_internalConvertBucketIndexStats stage used PauseExecution as a way to signal "skip this document" when an index stats conversion failed. But PauseExecution is not a general purpose skip mechanism, but rather a TeeBuffer-internal signal used solely by $facet to coordinate its sub-pipelines. When this stage is placed before $facet in a pipeline, TeeBuffer receives the unexpected PauseExecution from upstream and hits a hard invariant assertion, crashing mongod.
Affected Software
Event History
Frequently Asked Questions
What is the severity of CVE-2026-9748?
The severity of CVE-2026-9748 is classified as medium with a score of 6.5.
What is the risk associated with CVE-2026-9748?
CVE-2026-9748 has a risk score of 38, indicating a medium level of threat.
How do I fix CVE-2026-9748?
To mitigate CVE-2026-9748, ensure that your MongoDB server is updated to a version that addresses the vulnerability.
What type of system is impacted by CVE-2026-9748?
CVE-2026-9748 impacts the MongoDB Server when using the $_internalConvertBucketIndexStats stage.
Can CVE-2026-9748 cause data loss?
CVE-2026-9748 may lead to server crashes, which could potentially impact running processes but is not directly linked to data loss.