CVE-2026-44160
Received Received - Intake

Denial of Service in Fluentd via Gzip Payload

Vulnerability report for CVE-2026-44160, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd's in_http and in_forward plugins support gzip-compressed data but enforce limits only on compressed payloads through settings such as body_size_limit and chunk_size_limit, allowing crafted compressed payloads to decompress in memory to an excessive size and cause denial of service through memory exhaustion. This issue is fixed in version 1.19.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
treasure_data fluentd 1.19.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Fluentd versions prior to 1.19.3, specifically in the in_http and in_forward plugins. These plugins support gzip-compressed data and enforce limits only on the compressed payload size using settings like body_size_limit and chunk_size_limit. However, crafted compressed payloads can decompress into a much larger size in memory, which is not properly limited. This can lead to excessive memory consumption.

As a result, an attacker can send specially crafted compressed data that decompresses to an excessively large size, causing the Fluentd process to exhaust available memory and crash or become unresponsive, leading to a denial of service (DoS).

This issue was fixed in Fluentd version 1.19.3.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) condition. An attacker can exploit it by sending crafted compressed payloads that decompress to very large sizes, causing Fluentd to consume excessive memory.

This memory exhaustion can cause Fluentd to crash or become unresponsive, disrupting the collection and processing of logs and events from various data sources.

Such disruption can affect system monitoring, logging, and data processing workflows that rely on Fluentd, potentially leading to loss of visibility into system operations or delayed incident response.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Fluentd to version 1.19.3 or later, where the issue has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44160. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart