Severity by source
AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
Memory Allocation with Excessive Size Value (CWE-789) in the Prometheus remote_write HTTP handler in Metricbeat can lead Denial of Service via Excessive Allocation (CAPEC-130).
AnalysisAI
Metricbeat's Prometheus remote_write HTTP handler is vulnerable to denial of service through excessive memory allocation when processing specially crafted requests from authenticated network-adjacent attackers. An attacker with local privileges can trigger unbounded memory allocation to exhaust system resources and crash the service. No patch is currently available for this vulnerability.
Technical ContextAI
The vulnerability resides in Metricbeat's HTTP handler for Prometheus remote_write protocol integration, a feature that allows Metricbeat to receive metrics from Prometheus clients. The root cause is classified under CWE-789, which describes scenarios where an application allocates memory based on user-supplied input without proper validation or bounds checking. When a remote_write request containing an excessively large size value is processed, the handler attempts to allocate memory proportional to that value, bypassing safety checks. This is a common pattern in Go and Java applications handling HTTP payloads with Content-Length headers or size indicators in message frames. The Prometheus protocol is widely used in cloud-native and containerized environments, making this a particularly relevant vulnerability for observability infrastructure.
RemediationAI
Upgrade Metricbeat to version 8.19.13, 9.2.5, or later as released in Elastic security advisory ESA-2026-09 (https://discuss.elastic.co/t/metricbeat-8-19-13-9-2-5-security-update-esa-2026-09/385532). Until patches can be applied, implement network-level mitigations by restricting HTTP access to the Metricbeat remote_write endpoint to trusted Prometheus sources only, using network policies (Kubernetes NetworkPolicy, security groups, or firewall rules) to limit connectivity to the affected handler. Additionally, consider disabling the Prometheus remote_write input module if it is not actively used in your environment by removing or commenting out the corresponding configuration block in metricbeat.yml. Monitor Metricbeat resource consumption for unusual memory spikes, which could indicate exploitation attempts.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13139
GHSA-5vrw-qjxw-89r5