๐Ÿ” CVE Alert

CVE-2026-14362

MEDIUM 4.9

Denial of service via crafted push/pull gossip message in memberlist

CVSS Score
4.9
EPSS Score
0.0%
EPSS Percentile
0th

HashiCorp memberlist before version 0.6.0 is vulnerable to a denial-of-service issue in its push/pull state handling that may allow an attacker with network access to the gossip port to exhaust memory on a receiving node and cause the process to terminate. This vulnerability (CVE-2026-14362) is fixed in memberlist 0.6.0.

CWE CWE-770
Vendor hashicorp
Product shared library
Published Jul 8, 2026
Last Updated Jul 8, 2026
Stay Ahead of the Next One

Get instant alerts for hashicorp shared library

Be the first to know when new medium vulnerabilities affecting hashicorp shared library are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

HashiCorp / Shared library
0.1.5 < 0.6.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
discuss.hashicorp.com: https://discuss.hashicorp.com/t/hcsec-2026-18-memberlist-vulnerable-to-denial-of-service-via-gossip-message/77556

Credits

This issue was reported to HashiCorp by Andy Gill of ZephrSec.