CVE-2026-8336
Published: 13 May 2026
Summary
CVE-2026-8336 is a high-severity Use After Free (CWE-416) vulnerability in Mongodb (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, ranked at the 15.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.
NVD Description
After invoking $_internalJsEmit, which is not intended to be directly accessible, or mapreduce command’s map function in a certain way, an authenticated user can subsequently crash mongod when the server-side JavaScript engine (through $where, $function, mapreduce reduce stage, etc.) is…
more
used also in a specific way, resulting in a post-authentication denial-of-service. This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 versions prior to 8.2.9 and v8.3 versions prior to 8.3.2.
Deeper analysisAI
Automated synthesis unavailable for this CVE.
Details
- CWE(s)