Fatal Crash (Signal 11 / Segfault) in pcre2_match_data_free_8 during catastrophic backtracking regex evaluation

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Unresolved
    • Priority: Critical - P2
    • None
    • Affects Version/s: 8.0.16
    • Component/s: None
    • None
    • Query Execution
    • ALL
    • Hide

      Execute an aggregation query with the following $match conditions against a collection containing varying string lengths:

       

      db.trackings.aggregate([
        {
          $match:

      {       "connectionInfo.referer": /https:\/\/www.([0-9a-z_]|-)*.[com|net|org]/i,       "connectionInfo.userAgent": /^((?!Google|bot|unknown|phantom|crawl).)*$/     }

        }
      ])

       

      (Note: The catastrophic backtracking is intentional here to trigger the bug. We have already fixed our application logic, but the DB engine should not crash completely in this scenario.)

      [Expected Behavior] The query should be aborted by the internal regex engine (e.g., reaching PCRE match limit) or hit the maxTimeMS timeout, returning an error to the client while keeping the mongod process alive.

      [Actual Behavior] The mongod process crashes instantly with Signal 11 (Segmentation fault).

      [Diagnostic Log / Backtrace Snippet]

       

      {"t":\{"$date":"2026-03-09T01:00:09.035-07:00"}

      ,"s":"F",  "c":"CONTROL",  "id":6384300, "ctx":"conn9628","msg":"Writing fatal message","attr":{"message":"Invalid access at address: 0\n"}}

      {"t":\{"$date":"2026-03-09T01:00:09.035-07:00"}

      ,"s":"F",  "c":"CONTROL",  "id":6384300, "ctx":"conn9628","msg":"Writing fatal message","attr":{"message":"Got signal: 11 (Segmentation fault).\n"}}

      BACKTRACE:

      {"a":"61FB96B5CE47","b":"61FB8D658000","o":"9504E47","s":"pcre2_match_data_free_8","s+":"37"} {"a":"61FB967FFBC1","b":"61FB8D658000","o":"91A7BC1","s":"_ZN5mongo4pcre9MatchDataD1Ev","C":"mongo::pcre::MatchData::~MatchData()","s+":"21"} {"a":"61FB951866A9","b":"61FB8D658000","o":"7B2E6A9","s":"_ZNK5mongo20RegexMatchExpression20matchesSingleElementERKNS_11BSONElementEPNS_12MatchDetailsE","C":"mongo::RegexMatchExpression::matchesSingleElement(mongo::BSONElement const&, mongo::MatchDetails*) const","s+":"129"}

      ...

      Show
      Execute an aggregation query with the following $match conditions against a collection containing varying string lengths:   db.trackings.aggregate([   {     $match: {       "connectionInfo.referer": /https:\/\/www.([0-9a-z_]|-)*.[com|net|org]/i,       "connectionInfo.userAgent": /^((?!Google|bot|unknown|phantom|crawl).)*$/     }   } ])   (Note: The catastrophic backtracking is intentional here to trigger the bug. We have already fixed our application logic, but the DB engine should not crash completely in this scenario.) [Expected Behavior] The query should be aborted by the internal regex engine (e.g., reaching PCRE match limit) or hit the maxTimeMS timeout, returning an error to the client while keeping the mongod process alive. [Actual Behavior] The mongod process crashes instantly with Signal 11 (Segmentation fault). [Diagnostic Log / Backtrace Snippet]   {"t":\{"$date":"2026-03-09T01:00:09.035-07:00"} ,"s":"F",  "c":"CONTROL",  "id":6384300, "ctx":"conn9628","msg":"Writing fatal message","attr":{"message":"Invalid access at address: 0\n"}} {"t":\{"$date":"2026-03-09T01:00:09.035-07:00"} ,"s":"F",  "c":"CONTROL",  "id":6384300, "ctx":"conn9628","msg":"Writing fatal message","attr":{"message":"Got signal: 11 (Segmentation fault).\n"}} BACKTRACE: {"a":"61FB96B5CE47","b":"61FB8D658000","o":"9504E47","s":"pcre2_match_data_free_8","s+":"37"} {"a":"61FB967FFBC1","b":"61FB8D658000","o":"91A7BC1","s":"_ZN5mongo4pcre9MatchDataD1Ev","C":"mongo::pcre::MatchData::~MatchData()","s+":"21"} {"a":"61FB951866A9","b":"61FB8D658000","o":"7B2E6A9","s":"_ZNK5mongo20RegexMatchExpression20matchesSingleElementERKNS_11BSONElementEPNS_12MatchDetailsE","C":"mongo::RegexMatchExpression::matchesSingleElement(mongo::BSONElement const&, mongo::MatchDetails*) const","s+":"129"} ...
    • QE 2026-03-30, QE 2026-04-13
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      When executing an aggregation pipeline containing a highly complex regex (which induces catastrophic backtracking, such as excessive negative lookaheads), the mongod process unexpectedly crashes with a Segmentation Fault (Signal 11).

      Instead of failing the query gracefully (e.g., throwing a PCRE match limit error or operation time limit exceeded), the server crashes entirely during the cleanup phase. The backtrace shows that the crash occurs inside pcre2_match_data_free_8, called from mongo::RegexMatchExpression::matchesSingleElement via mongo::pcre::MatchData::~MatchData().

      This suggests a memory management or cleanup bug (e.g., invalid memory access at address: 0) in the PCRE2 integration when a regex evaluation is aborted due to extreme backtracking.

       

        1. repro.js
          4 kB

            Assignee:
            Ivan Fefer
            Reporter:
            Kwan Woo Park
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: