Skip to main content

Shared Library

1 CVEs product

Monthly

CVE-2026-14362 MEDIUM PATCH This Month

Memory exhaustion in HashiCorp memberlist before 0.6.0 allows network-accessible attackers to crash individual cluster nodes by sending crafted push/pull state synchronization messages to the gossip port, triggering unbounded memory allocation until the process terminates. The vulnerability is rooted in missing resource limits on incoming gossip state payloads (CWE-770). No public exploit code exists and CISA KEV listing is not confirmed; however, because memberlist underpins HashiCorp Consul, Nomad, and Vault cluster communication, a single exploitable node crash can disrupt distributed coordination in dependent systems.

Hashicorp Denial Of Service Shared Library
NVD
CVSS 3.1
4.9
EPSS
0.3%
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Memory exhaustion in HashiCorp memberlist before 0.6.0 allows network-accessible attackers to crash individual cluster nodes by sending crafted push/pull state synchronization messages to the gossip port, triggering unbounded memory allocation until the process terminates. The vulnerability is rooted in missing resource limits on incoming gossip state payloads (CWE-770). No public exploit code exists and CISA KEV listing is not confirmed; however, because memberlist underpins HashiCorp Consul, Nomad, and Vault cluster communication, a single exploitable node crash can disrupt distributed coordination in dependent systems.

Hashicorp Denial Of Service Shared Library
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy