This is a problem because when some code (such as the establishCursors clean-up thread) sends a fire-and-forget command, it doesn't wait for the response (by definition). This means that the opCtx and Client used by the request might be de-allocated immediately after the command was sent. However, NetworkTestEnv may still schedule a response for the command (if the test author defines what the command ought to return, which is not unreasonable despite the command being fire-and-forget). This leads to the potentially-freed opCtx being passed to readReplyMetadata(). If any metadata hooks use the opCtx, it can result in a use-after-free. (Currently no metadata hooks actually do this, but that is being changed by SERVER-47914.)