CVE-2026-14362 in memberlist
Summary
by MITRE • 07/08/2026
HashiCorp memberlist before version 0.6.0 is vulnerable to a denial-of-service issue in its push/pull state handling that may allow an attacker with network access to the gossip port to exhaust memory on a receiving node and cause the process to terminate. This vulnerability (CVE-2026-14362) is fixed in memberlist 0.6.0.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/08/2026
The vulnerability identified as CVE-2026-14362 affects HashiCorp memberlist versions prior to 060, representing a critical denial-of-service weakness within the gossip protocol implementation that governs distributed system communication. This flaw specifically targets the push/pull state handling mechanism that enables nodes in a cluster to synchronize their membership information and state data across the network. The vulnerability resides in how the system processes incoming state updates from other nodes, creating an opportunity for malicious actors to exploit the protocol's memory management functions through crafted network traffic directed at the gossip port.
The technical exploitation of this vulnerability occurs when an attacker sends specially constructed state update messages to a target node that is participating in a memberlist cluster. These malformed or excessively large state packets can trigger unbounded memory allocation within the receiving node's state handling routines, causing progressive memory consumption until system resources are exhausted. The flaw manifests as a failure to properly validate incoming state data sizes and processing requirements, allowing attackers to craft messages that force the system into memory exhaustion scenarios without proper bounds checking or rate limiting mechanisms.
From an operational perspective, this vulnerability poses significant risk to distributed systems relying on HashiCorp memberlist for service discovery and cluster coordination. When exploited successfully, the denial-of-service condition can lead to complete process termination of affected nodes, causing cascading failures within the broader distributed system architecture. The impact extends beyond individual node compromise as it can disrupt entire service clusters, particularly in environments where memberlist is used for critical infrastructure components such as consul agents, nomad clients, or other distributed applications that depend on consistent cluster membership information.
The vulnerability aligns with CWE-400, which classifies memory exhaustion issues in software systems, and represents a classic example of how gossip protocols can become attack vectors when proper input validation is absent. From an adversary perspective, this issue maps to ATT&CK technique T1499.004 for network denial-of-service attacks and could potentially be leveraged in broader attack chains targeting infrastructure availability. The low barrier to exploitation makes this vulnerability particularly dangerous as it requires only network access to the gossip port, which is often exposed in cloud environments or containerized deployments where such services are accessible across network boundaries.
Mitigation strategies should prioritize immediate upgrade to memberlist version 060 or later, which includes proper bounds checking and memory allocation limits for state updates. Network segmentation and firewall rules should restrict access to gossip ports to only trusted nodes within the cluster, implementing principle of least privilege access controls. Additional protective measures include implementing rate limiting at network level for incoming protocol traffic and monitoring for unusual memory consumption patterns that might indicate exploitation attempts. Organizations should also consider implementing intrusion detection systems capable of identifying malformed gossip protocol messages and establishing alerting mechanisms for sudden increases in memory usage on critical nodes within their distributed environments.