Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable, low-complexity memory-exhaustion DoS with availability-only impact (A:H, C/I:N); PR:N follows the vendor vector though upload endpoints may in practice require an agent API key.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
6DescriptionNVD
Allocation of Resources Without Limits or Throttling (CWE-770) in Fleet Server can lead to a denial of service via Excessive Allocation (CAPEC-130). An attacker can submit a specially crafted request to an upload endpoint that causes excessive memory consumption, which may render Fleet Server unavailable.
AnalysisAI
Denial of service in Elastic Fleet Server (versions 8.0.0-8.19.10 and 9.0.0-9.2.4) allows remote attackers to exhaust memory by sending a specially crafted request to an upload endpoint, driving excessive allocation until the server becomes unresponsive. The flaw is a resource-throttling failure (CWE-770) with availability-only impact and no confidentiality or integrity loss. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to a Fleet Server upload endpoint (the artifact/diagnostic upload HTTP path); the attacker submits a single specially crafted upload request that triggers unbounded memory allocation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are internally consistent and point to a moderate, availability-only risk rather than a top-tier emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network reach to the Fleet Server HTTP interface sends a single crafted request to an upload endpoint whose payload or declared size forces the server to allocate an outsized memory buffer. Repeating or scaling the request exhausts available RAM, causing the process to be OOM-killed or hang, cutting off agent policy delivery and check-ins fleet-wide. … |
| Remediation | Vendor-released patch: upgrade Fleet Server to 8.19.11, 9.2.5, or 9.3.0 as documented in Elastic advisory ESA-2026-44 (https://discuss.elastic.co/t/fleet-server-8-19-11-9-2-5-9-3-0-security-update-esa-2026-44); 8.x users on 8.0.0-8.19.10 should move to 8.19.11, and 9.x users on 9.0.0-9.2.4 should move to 9.2.5 or 9.3.0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Enable detailed monitoring on Fleet Server memory and CPU usage with automated alerting thresholds; isolate Fleet Server network segments from untrusted sources. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Fleet Server
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41077
GHSA-w52p-h72q-gcpf