#1136802 php-mongodb: CVE-2026-6811

Package:
src:php-mongodb
Source:
src:php-mongodb
Submitter:
Salvatore Bonaccorso
Date:
2026-05-16 09:09:02 UTC
Severity:
normal
Tags:
#1136802#5
Date:
2026-05-16 08:15:02 UTC
From:
To:
Hi,

The following vulnerability was published for php-mongodb.

CVE-2026-6811[0]:
| Stack exhaustion vulnerability in the MongoDB PHP driver can cause
| application crashes when processing deeply nested BSON documents in
| unusual circumstances when the source of these BSON documents is not
| MongoDB Server.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-6811
https://www.cve.org/CVERecord?id=CVE-2026-6811
[1] https://jira.mongodb.org/browse/PHPC-2636
[2] https://github.com/mongodb/mongo-php-driver/commit/2060beb85a041182550d022ec223783ffdaf6ec8

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

#1136802#10
Date:
2026-05-16 08:25:14 UTC
From:
To:
I feel this is one these “security” issues that don’t deserve fixing:

This feels like Curriculum Vitae Enhancement and not real security issue as this reads “are you parsing data from untrusted sources”?

Ondrej
--
Ondřej Surý (He/Him)

A gentle nudge is always appreciated if I take a little longer to reply.

#1136802#15
Date:
2026-05-16 09:07:38 UTC
From:
To:
Hi Ondřej,

Ack, so let's mark it no-dsa for older series and just fix it in
unstable/forky once it enters with the new upstream version?
Apparently the CVE itself was assigned by the MongoDB CNA itself, so
they apparently did still consider it with security impact.

Thanks a lot for this quick comment, much appreciated!

Salvatore