CVE-2026-14362
Received Received - Intake

Denial-of-Service in HashiCorp memberlist

Vulnerability report for CVE-2026-14362, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: HashiCorp Inc.

Description

HashiCorp memberlist before version 0.6.0 is vulnerable to a denial-of-service issue in its push/pull state handling that may allow an attacker with network access to the gossip port to exhaust memory on a receiving node and cause the process to terminate. This vulnerability (CVE-2026-14362) is fixed in memberlist 0.6.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
hashicorp memberlist to 0.5.4 (inc)
hashicorp memberlist 0.6.0
hashicorp consul 2.0.2
hashicorp nomad 2.0.4

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can lead to a denial-of-service condition on affected nodes by exhausting their memory resources.

An attacker with network access to the gossip port can cause the affected process to terminate, potentially disrupting services that rely on memberlist, Consul, or Nomad.

If gossip encryption is disabled (which is the default), the attacker does not need to authenticate to exploit this vulnerability, increasing the risk.

Enabling gossip encryption can mitigate unauthenticated exploitation but does not remove the underlying vulnerability.

Executive Summary

HashiCorp memberlist versions before 0.6.0 have a denial-of-service (DoS) vulnerability in their gossip message handling. An attacker with network access to the gossip port can send specially crafted messages that falsely declare very large values for node count and user state size.

This causes the receiving node to try to allocate excessive amounts of memory, which can exhaust the node's memory resources and cause the process to terminate unexpectedly.

The vulnerability affects memberlist up to version 0.5.4 and is fixed in version 0.6.0.

Detection Guidance

This vulnerability can be detected by identifying if your system is running HashiCorp memberlist versions up to 0.5.4 or affected versions of Consul and Nomad that embed memberlist. Specifically, check the version of memberlist or the embedded versions in Consul and Nomad.

To detect potential exploitation attempts on your network, monitor traffic on the gossip port for unusually large or malformed gossip messages that declare falsely large node counts or user state sizes.

Suggested commands to check installed versions:

  • For memberlist: `memberlist --version` or check the version in your deployment manifests or binaries.
  • For Consul: `consul version`
  • For Nomad: `nomad version`

To monitor network traffic on the gossip port (default 7946), you can use tools like tcpdump or Wireshark to capture and analyze packets for suspiciously large gossip messages.

  • Example tcpdump command: `tcpdump -i <interface> port 7946 -w gossip_traffic.pcap`
  • Then analyze the capture with Wireshark or similar tools to look for abnormal message sizes.
Mitigation Strategies

Immediate mitigation steps include upgrading to the fixed versions: memberlist 0.6.0, Consul 2.0.2, or Nomad 2.0.4 or later.

If upgrading immediately is not possible, enabling gossip encryption can mitigate unauthenticated exploitation since the vulnerability does not require authentication only when gossip encryption is disabled (which is the default).

Additionally, monitor network traffic on the gossip port for suspicious activity and consider restricting network access to the gossip port to trusted sources only.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14362. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart