CVE-2026-25611: Pre-Authentication Denial of Service via Asymmetric Memory Exhaustion in MongoDB Server

MongoDB Server utilizes a custom binary wire protocol for communication between clients and the database. This protocol defines various opcodes to instruct the server on how to process incoming messages. The OP_COMPRESSED opcode, designated by the integer value 2012, is utilized to encapsulate other opcodes within a compressed format. This encapsulation mechanism is designed to reduce network bandwidth usage by applying algorithms such as Snappy, Zlib, or Zstandard to the payload.

The vulnerability, identified as CVE-2026-25611, exists in the parsing logic responsible for handling these OP_COMPRESSED messages. The parsing occurs at the network ingress layer, before the server authenticates the client or processes any BSON payloads. Because this protocol layer is exposed to unauthenticated connections, the attack surface is accessible to any entity capable of routing TCP traffic to the MongoDB service port.

This flaw is classified under CWE-405: Asymmetric Resource Consumption (Amplification). The server fails to implement sufficient bounds checking on the memory allocation requests derived from client-provided packet fields. Consequently, an unauthenticated remote attacker can force the database process to allocate excessive amounts of memory with minimal network bandwidth expenditure, resulting in a severe Denial of Service condition.

The root cause of CVE-2026-25611 resides in the deterministic allocation of memory based entirely on untrusted client input. The structure of an OP_COMPRESSED message consists of a standard message header followed by four specific fields. These fields include the original opcode, the uncompressed size of the payload, the compressor ID, and the compressed payload itself. The standard message header specifies the total length of the packet, while the uncompressed size field dictates the expected size of the data after decompression.

Upon receiving an OP_COMPRESSED packet, the MongoDB ingress handler extracts the 32-bit integer representing the uncompressedSize. The server immediately provisions a memory buffer matching this exact size to store the output of the decompression algorithm. This allocation operation precedes any validation of the decompression process and occurs without correlating the declared uncompressed size against the actual size of the compressed payload.

The application implicitly trusts the client-provided size metric. If a malicious client supplies a mathematically disproportionate or physically unfeasible uncompressed size value, the server attempts the allocation regardless of the system's available resources. The lack of an upper bound or a sanity check on the ratio between compressed and uncompressed data sizes permits the asymmetric consumption of heap memory.

Exploitation of CVE-2026-25611 requires establishing a standard TCP connection to the target MongoDB service, which typically listens on port 27017. The attacker crafts a custom binary packet structured to match the OP_COMPRESSED wire protocol specification. The critical component of this payload is the uncompressedSize field, which the attacker populates with an artificially inflated value, such as 0x7FFFFFFF representing approximately 2.1 gigabytes.

The compressed payload section of the packet can contain minimal or arbitrary data, requiring only a few bytes of network transit. When the MongoDB server processes this packet, it requests a contiguous memory block of 2.1 gigabytes from the operating system allocator. A single request consumes a massive fraction of available system memory while costing the attacker practically zero bandwidth.

To guarantee process termination, the attacker transmits multiple crafted packets concurrently. This rapid sequence of multi-gigabyte allocation requests quickly exhausts the physical RAM and swap space of the host system. Once memory is fully depleted, the Linux kernel invokes the Out-Of-Memory (OOM) Killer, which subsequently identifies the MongoDB process as the primary memory consumer and terminates it. Alternatively, the memory allocator may throw an unhandled exception, causing the MongoDB process to crash directly.

The direct impact of this vulnerability is a complete loss of availability for the targeted MongoDB database instance. The National Vulnerability Database calculates a CVSS v4.0 base score of 8.7 and a CVSS v3.1 base score of 7.5, reflecting the high severity of the availability impact coupled with the low complexity of the network-based attack vector. The absence of an authentication requirement significantly elevates the risk profile, exposing any internet-facing instance to immediate disruption.

In production environments, the sudden termination of the primary database process initiates a cascade of failures across dependent applications and microservices. While replica sets may trigger an automatic failover sequence, the deterministic nature of the exploit allows an attacker to continuously target newly elected primary nodes. This continuous targeting prevents the cluster from maintaining a stable state and nullifies the availability benefits of standard high-availability architectures.

Current threat intelligence indicates that proof-of-concept methodologies are available within the security research community, elevating the probability of targeted exploitation. The Exploit Prediction Scoring System (EPSS) currently records a score of 0.0005, placing it in the 15.2nd percentile. The trivial nature of the exploit construction suggests a high probability of integration into automated denial-of-service scripts and botnet targeting arrays.

MongoDB engineers addressed the asymmetric memory consumption flaw through a series of structural patches applied across the network ingress subsystem. The primary fix, tracked under SERVER-116210, introduces strict global limits on the maximum buffer size permitted for ingress requests. This modification ensures that the server evaluates the uncompressedSize field against predefined, safe thresholds before initiating any memory allocation sequence.

Supplementary patches provide defense-in-depth measures against memory-related process termination. SERVER-116211 caps the total memory allocation permitted for specific network buffer tasks, preventing concurrent requests from aggregating memory consumption beyond a safe limit. Additionally, SERVER-116206 improves the exception handling routines within the message compressor modules, ensuring that failed allocation attempts result in a controlled connection termination rather than an unhandled process crash.

Administrators must upgrade affected instances to MongoDB Server versions 8.2.4, 8.0.18, or 7.0.29 immediately. In environments where patching is constrained by deployment schedules, network security controls provide the only effective mitigation. Restricting access to port 27017 via firewalls or Virtual Private Cloud (VPC) security groups ensures that only trusted, authenticated network segments can initiate connections to the database layer.