UBSAN testing in v4.4 reported a possible null dereference in __wt_txn_user_active(). This looks like the problematic code:
UBSAN complains about the access to session_in_list->txn in the first use of the F_ISSET macro. I assume the danger is that we race with a thread that is closing a session. So in the code, above, session_in_list->active is true but by the time we start checking flags in the session's txn, it has been cleared.
This window is somewhat larger than it looks since __wt_session_close_internal() does a bunch of work between when it frees and clears its transaction and when it clears the active flag.
It is not clear whether MongoDB code would actually trigger this race or if UBSAN is simply reporting that it is possible.
Note that although the test failure was in v4.4, the same code and race is in the develop branch.