Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Gossip port requires no application-level authentication; PR:N reflects the technical exploit path once the port is network-reachable, independent of deployment-level firewall controls.
Primary rating from Vendor (HashiCorp).
CVSS VectorVendor: HashiCorp
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
HashiCorp memberlist before version 0.6.0 is vulnerable to a denial-of-service issue in its push/pull state handling that may allow an attacker with network access to the gossip port to exhaust memory on a receiving node and cause the process to terminate. This vulnerability (CVE-2026-14362) is fixed in memberlist 0.6.0.
AnalysisAI
Memory exhaustion in HashiCorp memberlist before 0.6.0 allows network-accessible attackers to crash individual cluster nodes by sending crafted push/pull state synchronization messages to the gossip port, triggering unbounded memory allocation until the process terminates. The vulnerability is rooted in missing resource limits on incoming gossip state payloads (CWE-770). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must have TCP or UDP network connectivity to the gossip port on the target node (commonly port 8301 in Consul-based deployments, or the port configured via memberlist's BindPort setting). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.1 score of 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H) reflects that reaching the gossip port is treated as a high-privilege condition, suppressing an otherwise network-exploitable, no-interaction, high-availability-impact flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network access to the memberlist gossip port initiates a push/pull state exchange with a target node and sends a crafted, oversized state payload containing a large number of membership records. Because the receiving node imposes no allocation ceiling while processing the stream, it continuously allocates memory until heap exhaustion causes the Go runtime to terminate the process, taking the cluster node offline. … |
| Remediation | Upgrade to HashiCorp memberlist 0.6.0, which is confirmed as the fix version per the HashiCorp advisory at https://discuss.hashicorp.com/t/hcsec-2026-18-memberlist-vulnerable-to-denial-of-service-via-gossip-message/77556. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42342
GHSA-6r3r-6rpf-v429