CVE-2026-26931
Excessive Memory Allocation in Metricbeat remote_write Causes DoS
Publication date: 2026-03-19
Last updated on: 2026-03-19
Assigner: Elastic
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elastic | metricbeat | From 8.0.0 (inc) to 8.19.12 (inc) |
| elastic | metricbeat | From 9.0.0 (inc) to 9.2.4 (inc) |
| elastic | metricbeat | 8.19.13 |
| elastic | metricbeat | 9.2.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-789 | The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-26931 is a vulnerability in Metricbeat's Prometheus remote_write HTTP handler that involves memory allocation with an excessive size value (CWE-789). This flaw can cause the system to allocate an excessive amount of memory, leading to a Denial of Service (DoS) condition by exhausting available memory resources."}, {'type': 'paragraph', 'content': 'The vulnerability affects Metricbeat versions 8.0.0 through 8.19.12 and 9.0.0 through 9.2.4, specifically when the Prometheus remote_write module is enabled, which is not the default setting.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can impact you by causing Denial of Service (DoS) on the system running Metricbeat. When exploited, it can lead to excessive memory allocation, resulting in the Metricbeat process terminating due to out-of-memory errors, repeated crashes or restarts, and overall unavailability of the Metricbeat service.'}, {'type': 'list_item', 'content': 'Metricbeat process terminations with "out of memory" errors in system logs.'}, {'type': 'list_item', 'content': 'Repeated crashes or restarts when the remote_write module is enabled.'}, {'type': 'list_item', 'content': 'Out-of-memory (OOM) events in kernel or container orchestration logs.'}, {'type': 'list_item', 'content': 'Sudden spikes in Metricbeat memory consumption metrics before termination.'}, {'type': 'list_item', 'content': 'Unexpected network connections to the remote_write endpoint.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for several indicators of compromise related to Metricbeat's Prometheus remote_write module."}, {'type': 'list_item', 'content': 'Check system logs for Metricbeat process terminations with "out of memory" errors.'}, {'type': 'list_item', 'content': 'Look for repeated crashes or restarts of Metricbeat when the remote_write module is enabled.'}, {'type': 'list_item', 'content': 'Inspect kernel logs or container orchestration logs for out-of-memory (OOM) events.'}, {'type': 'list_item', 'content': 'Monitor Metricbeat memory consumption metrics for sudden spikes before termination.'}, {'type': 'list_item', 'content': 'Detect unexpected network connections to the remote_write endpoint.'}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': 'Use `journalctl -u metricbeat` or `grep metricbeat /var/log/syslog` to find out-of-memory errors or crashes.'}, {'type': 'list_item', 'content': 'Run `dmesg | grep -i oom` to check for kernel OOM killer events.'}, {'type': 'list_item', 'content': 'Use monitoring tools or commands like `top`, `htop`, or `ps` to observe Metricbeat memory usage spikes.'}, {'type': 'list_item', 'content': 'Use network monitoring tools such as `netstat -anp | grep metricbeat` or `ss -tunap | grep metricbeat` to detect unexpected remote_write endpoint connections.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for this vulnerability include:
- Upgrade Metricbeat to version 8.19.13 or 9.2.5 or later, where the vulnerability is fixed.
- If upgrading is not possible immediately, disable the Prometheus remote_write module by removing or commenting out its configuration in metricbeat.yml and then restart Metricbeat.
- Restrict network access to the remote_write endpoint by applying firewall rules or network policies to allow only trusted Prometheus server IP addresses.
- If the Prometheus server runs on the same host as Metricbeat, bind the remote_write service to localhost to prevent external access.