HCSEC-2026-18 - Memberlist vulnerable to denial of service via gossip message
🔗 CVE IDs covered (1)
📋 Description
Bulletin ID: HCSEC-2026-18 Affected Products / Versions: memberlist up to 0.5.4; fixed in 0.6.0. Publication Date: July 8, 2026 Summary HashiCorp memberlist before version 0.6.0 is vulnerable to a denial-of-service issue in its push/pull state handling that may allow an attacker with network access to the gossip port to exhaust memory on a receiving node and cause the process to terminate. This vulnerability (CVE-2026-14362) is fixed in memberlist 0.6.0. Background HashiCorp memberlist is a Go library that manages cluster membership and failure detection using a gossip-based protocol, and is embedded in HashiCorp products including Consul and Nomad. As part of state synchronization, nodes periodically exchange full membership and user state through a push/pull exchange over TCP, in which a message header declares the number of nodes and the size of the user state that follow. Details When a node received a push/pull state message, memberlist used the node count and user state length declared in the message header to pre-allocate memory before reading the remainder of the message, without validating those values against the actual message size or any upper bound. An attacker with network access to the gossip port could send a small, crafted message whose header declares very large values, causing the receiver to attempt an excessive memory allocation and be terminated, resulting in a denial of service. In clustered deployments, repeated requests could keep affected nodes unavailable. The affected path does not require authentication when gossip encryption is not enabled, which is the default configuration; clusters that enable gossip encryption require the shared key to communicate on the gossip port and are only exposed to authenticated exploitation of this issue. Remediation Customers should evaluate the risk associated with this issue and consider upgrading to memberlist 0.6.0, Consul 2.0.2, or Nomad 2.0.4. Customers who are unable to upgrade immediately can mitig…
🎯 Affected products2
- Consul
- Nomad