MongoDB Double-Free Vulnerability in Aggregation $lookup Operation

A memory management vulnerability has been identified in MongoDB's aggregation framework, specifically within the slot-based execution (SBE) engine. This issue arises when an authenticated user with write privileges executes a $lookup operation that triggers a hash table spill from memory to disk. Under these circumstances, the SBE engine improperly handles memory, leading to a double-free or use-after-free error. The vulnerability affects MongoDB versions 8.2.2 and 8.0.16.

Impact

Exploitation of this vulnerability causes a critical double-free memory error in the SBE engine, which can lead to memory corruption.

Reproduction

To reproduce this vulnerability, an authenticated user with write privileges can execute a $lookup aggregation query that causes the hash table used by SBE to spill from memory to disk. This can be achieved by ensuring the hash table exceeds 100 MB and adding a duplicate key that triggers the spill. The vulnerability occurs because the SBE engine mistakenly assumes ownership of the spilled data, leading to a double-free error when the data is released twice.

Remediation

Users can upgrade to MongoDB versions 8.3.0-rc0, 8.0.20, or 7.0.31, where this vulnerability has been fixed.