Shared Library
Monthly
Memory exhaustion in HashiCorp memberlist before 0.6.0 allows network-accessible attackers to crash individual cluster nodes by sending crafted push/pull state synchronization messages to the gossip port, triggering unbounded memory allocation until the process terminates. The vulnerability is rooted in missing resource limits on incoming gossip state payloads (CWE-770). No public exploit code exists and CISA KEV listing is not confirmed; however, because memberlist underpins HashiCorp Consul, Nomad, and Vault cluster communication, a single exploitable node crash can disrupt distributed coordination in dependent systems.
Memory exhaustion in HashiCorp memberlist before 0.6.0 allows network-accessible attackers to crash individual cluster nodes by sending crafted push/pull state synchronization messages to the gossip port, triggering unbounded memory allocation until the process terminates. The vulnerability is rooted in missing resource limits on incoming gossip state payloads (CWE-770). No public exploit code exists and CISA KEV listing is not confirmed; however, because memberlist underpins HashiCorp Consul, Nomad, and Vault cluster communication, a single exploitable node crash can disrupt distributed coordination in dependent systems.