๐Ÿ” CVE Alert

CVE-2026-44160

HIGH 7.5

Fluentd: Denial of Service (DoS) via Gzip Decompression Bomb in `in_http` and `in_forward`

CVSS Score
7.5
EPSS Score
0.6%
EPSS Percentile
46th

Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd's in_http and in_forward plugins support gzip-compressed data but enforce limits only on compressed payloads through settings such as body_size_limit and chunk_size_limit, allowing crafted compressed payloads to decompress in memory to an excessive size and cause denial of service through memory exhaustion. This issue is fixed in version 1.19.3.

CWE CWE-409
Vendor fluent
Product fluentd
Published Jul 8, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for fluent fluentd

Be the first to know when new high vulnerabilities affecting fluent fluentd are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Affected Versions

fluent / fluentd
< 1.19.3

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/fluent/fluentd/security/advisories/GHSA-j9cw-hwqf-85w7 github.com: https://github.com/fluent/fluentd/pull/5393 github.com: https://github.com/fluent/fluentd/commit/f5f2b7cddf8aab3932e6dec9fa367a5f3eb27e10 github.com: https://github.com/fluent/fluentd/releases/tag/v1.19.3