Skip to main content

Metricbeat CVE-2026-26931

| EUVDEUVD-2026-13139 MEDIUM
Memory Allocation with Excessive Size Value (CWE-789)
2026-03-19 security@elastic.co GHSA-5vrw-qjxw-89r5
5.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.7 MEDIUM
AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 19, 2026 - 17:30 euvd
EUVD-2026-13139
Analysis Generated
Mar 19, 2026 - 17:30 vuln.today
CVE Published
Mar 19, 2026 - 17:16 nvd
MEDIUM 5.7

DescriptionCVE.org

Memory Allocation with Excessive Size Value (CWE-789) in the Prometheus remote_write HTTP handler in Metricbeat can lead Denial of Service via Excessive Allocation (CAPEC-130).

AnalysisAI

Metricbeat's Prometheus remote_write HTTP handler is vulnerable to denial of service through excessive memory allocation when processing specially crafted requests from authenticated network-adjacent attackers. An attacker with local privileges can trigger unbounded memory allocation to exhaust system resources and crash the service. No patch is currently available for this vulnerability.

Technical ContextAI

The vulnerability resides in Metricbeat's HTTP handler for Prometheus remote_write protocol integration, a feature that allows Metricbeat to receive metrics from Prometheus clients. The root cause is classified under CWE-789, which describes scenarios where an application allocates memory based on user-supplied input without proper validation or bounds checking. When a remote_write request containing an excessively large size value is processed, the handler attempts to allocate memory proportional to that value, bypassing safety checks. This is a common pattern in Go and Java applications handling HTTP payloads with Content-Length headers or size indicators in message frames. The Prometheus protocol is widely used in cloud-native and containerized environments, making this a particularly relevant vulnerability for observability infrastructure.

RemediationAI

Upgrade Metricbeat to version 8.19.13, 9.2.5, or later as released in Elastic security advisory ESA-2026-09 (https://discuss.elastic.co/t/metricbeat-8-19-13-9-2-5-security-update-esa-2026-09/385532). Until patches can be applied, implement network-level mitigations by restricting HTTP access to the Metricbeat remote_write endpoint to trusted Prometheus sources only, using network policies (Kubernetes NetworkPolicy, security groups, or firewall rules) to limit connectivity to the affected handler. Additionally, consider disabling the Prometheus remote_write input module if it is not actively used in your environment by removing or commenting out the corresponding configuration block in metricbeat.yml. Monitor Metricbeat resource consumption for unusual memory spikes, which could indicate exploitation attempts.

Share

CVE-2026-26931 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy