HashiCorp memberlist before version 0.6.0 is vulnerable to a denial-of-service issue in its push/pull state handling that may allow an attacker with network access to the gossip port to exhaust memory on a receiving node and cause the process to terminate. This vulnerability (CVE-2026-14362) is fixed in memberlist 0.6.0.
History

Wed, 08 Jul 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 08 Jul 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Hashicorp
Hashicorp shared Library
Vendors & Products Hashicorp
Hashicorp shared Library

Wed, 08 Jul 2026 17:30:00 +0000

Type Values Removed Values Added
Description HashiCorp memberlist before version 0.6.0 is vulnerable to a denial-of-service issue in its push/pull state handling that may allow an attacker with network access to the gossip port to exhaust memory on a receiving node and cause the process to terminate. This vulnerability (CVE-2026-14362) is fixed in memberlist 0.6.0.
Title Denial of service via crafted push/pull gossip message in memberlist
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: HashiCorp

Published:

Updated: 2026-07-08T19:40:16.119Z

Reserved: 2026-07-01T19:07:40.964Z

Link: CVE-2026-14362

cve-icon Vulnrichment

Updated: 2026-07-08T18:29:57.500Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-08T19:00:07Z