Skip to main content

HashiCorp memberlist CVE-2026-14362

| EUVDEUVD-2026-42342 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-07-08 HashiCorp GHSA-6r3r-6rpf-v429
4.9
CVSS 3.1 · Vendor: HashiCorp
Share

Severity by source

Vendor (HashiCorp) PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Gossip port requires no application-level authentication; PR:N reflects the technical exploit path once the port is network-reachable, independent of deployment-level firewall controls.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (HashiCorp).

CVSS VectorVendor: HashiCorp

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 19:01 EUVD
Analysis Generated
Jul 08, 2026 - 17:54 vuln.today

DescriptionCVE.org

HashiCorp memberlist before version 0.6.0 is vulnerable to a denial-of-service issue in its push/pull state handling that may allow an attacker with network access to the gossip port to exhaust memory on a receiving node and cause the process to terminate. This vulnerability (CVE-2026-14362) is fixed in memberlist 0.6.0.

AnalysisAI

Memory exhaustion in HashiCorp memberlist before 0.6.0 allows network-accessible attackers to crash individual cluster nodes by sending crafted push/pull state synchronization messages to the gossip port, triggering unbounded memory allocation until the process terminates. The vulnerability is rooted in missing resource limits on incoming gossip state payloads (CWE-770). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain network access to gossip port
Delivery
Initiate push/pull state handshake
Exploit
Send oversized crafted state payload
Execution
Trigger unbounded memory allocation
Persist
Exhaust node heap memory
Impact
Process terminates (availability loss)

Vulnerability AssessmentAI

Exploitation The attacker must have TCP or UDP network connectivity to the gossip port on the target node (commonly port 8301 in Consul-based deployments, or the port configured via memberlist's BindPort setting). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 3.1 score of 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H) reflects that reaching the gossip port is treated as a high-privilege condition, suppressing an otherwise network-exploitable, no-interaction, high-availability-impact flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network access to the memberlist gossip port initiates a push/pull state exchange with a target node and sends a crafted, oversized state payload containing a large number of membership records. Because the receiving node imposes no allocation ceiling while processing the stream, it continuously allocates memory until heap exhaustion causes the Go runtime to terminate the process, taking the cluster node offline. …
Remediation Upgrade to HashiCorp memberlist 0.6.0, which is confirmed as the fix version per the HashiCorp advisory at https://discuss.hashicorp.com/t/hcsec-2026-18-memberlist-vulnerable-to-denial-of-service-via-gossip-message/77556. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-14362 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy