ReplicaSetMonitor::_check() holds a reference to probablePrimaryIdx across multiple _locks. This could easily be modified between lock acquisitions, yet _master is conditionally set to this index. If ReplicaSetMonitor::check() calls ReplicaSetMonitor::_check() with checkAllSecondaries set to false, a subsequent call to ReplicaSetMonitor::check() could reference a node that's past the bounds of the _nodes vector.

I believe this could cause a segfault in ReplicaSetMonitor::check() as there is no upper bound check on the index of _master:

            // first see if the current master is fine
            if ( _master >= 0 ) {
                masterConn = _nodes[_master].conn;
            }