PatchSiren cyber security CVE debrief
CVE-2026-9748 MongoDB CVE debrief
CVE-2026-9748 is a HIGH severity vulnerability in MongoDB. The $_internalConvertBucketIndexStats stage used PauseExecution as a way to signal 'skip this document' when an index stats conversion failed. However, PauseExecution is not a general-purpose skip mechanism but rather a TeeBuffer-internal signal used solely by $facet to coordinate its sub-pipelines. When this stage is placed before $facet in a pipeline, TeeBuffer receives the unexpected PauseExecution from upstream and hits a hard invariant assertion, crashing mongod.
- Vendor
- MongoDB
- Product
- MongoDB Server
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-10
Who should care
Users of MongoDB should be aware of this vulnerability and take action to mitigate it.
Technical summary
The $_internalConvertBucketIndexStats stage in MongoDB incorrectly used PauseExecution to signal 'skip this document' when an index stats conversion failed. This can cause a crash when the stage is placed before $facet in a pipeline.
Defensive priority
HIGH
Recommended defensive actions
- Apply the patch or update to a version of MongoDB that fixes this issue.
- Review and update pipeline configurations to avoid placing the $_internalConvertBucketIndexStats stage before $facet.
Evidence notes
Evidence suggests that this vulnerability was introduced in an unspecified version of MongoDB.
Official resources
-
CVE-2026-9748 CVE record
CVE.org
-
CVE-2026-9748 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-9748 was published on [2026-06-09T23:17:04.250Z](https://www.cve.org/CVERecord?id=CVE-2026-9748) and modified on [2026-06-10T19:43:28.857Z](https://nvd.nist.gov/vuln/detail/CVE-2026-9748).