Description
HashiCorp memberlist before version 0.6.0 is vulnerable to a denial-of-service issue in its push/pull state handling that may allow an attacker with network access to the gossip port to exhaust memory on a receiving node and cause the process to terminate. This vulnerability (CVE-2026-14362) is fixed in memberlist 0.6.0.
Problem types
CWE-770: Allocation of Resources Without Limits or Throttling
Product status
0.1.5 (semver) before 0.6.0
Credits
This issue was reported to HashiCorp by Andy Gill of ZephrSec.
References
discuss.hashicorp.com/...of-service-via-gossip-message/77556