CVE-2026-26932
Improper Array Index Validation in Packetbeat PostgreSQL Causes DoS
Publication date: 2026-02-26
Last updated on: 2026-03-12
Assigner: Elastic
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elasticsearch | packetbeat | From 8.0.0 (inc) to 8.19.11 (exc) |
| elasticsearch | packetbeat | From 9.0.0 (inc) to 9.2.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-129 | The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-26932 is a vulnerability in the PostgreSQL protocol parser of Packetbeat. It involves improper validation of an array index, which can be exploited by sending a specially crafted PostgreSQL packet. This causes a Go runtime panic due to an 'index out of range' error, leading to the unexpected termination of the Packetbeat process."}, {'type': 'paragraph', 'content': 'This vulnerability only affects Packetbeat deployments where the pgsql protocol parser is explicitly enabled and configured to monitor PostgreSQL network traffic.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'The primary impact of this vulnerability is a Denial of Service (DoS) condition. An attacker can cause the Packetbeat process to crash by sending a specially crafted packet, which triggers a runtime panic.'}, {'type': 'paragraph', 'content': "This results in the unavailability of Packetbeat's monitoring capabilities for PostgreSQL traffic, potentially disrupting network monitoring and analysis."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for Packetbeat process crashes accompanied by panic messages containing "runtime error: index out of range" and stack traces referencing packetbeat/protos/pgsql/parse.go.'}, {'type': 'paragraph', 'content': 'Since the vulnerability occurs when the pgsql protocol parser is enabled, checking Packetbeat logs for these specific panic messages is a key indicator of compromise.'}, {'type': 'paragraph', 'content': 'Suggested commands include examining Packetbeat logs for the panic message, for example using grep:'}, {'type': 'list_item', 'content': "grep -i 'runtime error: index out of range' /var/log/packetbeat/packetbeat.log"}, {'type': 'list_item', 'content': "grep -i 'packetbeat/protos/pgsql/parse.go' /var/log/packetbeat/packetbeat.log"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unexpected Packetbeat process terminations or restarts can help detect exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Packetbeat to version 8.19.11 or 9.2.5 or later, where this vulnerability is fixed.
If upgrading is not possible immediately, disable the pgsql protocol parser by removing or commenting out its configuration in the packetbeat.yml file to prevent the vulnerability from being exploitable.