High7.5Red Hat & Ubuntu Linux Updated
HashiCorp memberlist: Denial of Service via push/pull state handling
CVE-2026-14362 Published Jul 8, 2026Updated by vendor Jul 8, 2026
CVE-2026-14362
Affected products & platforms
Red Hat & Ubuntu LinuxUnclassified
Summary
HashiCorp memberlist: Denial of Service via push/pull state handling. Red Hat rates this important (CVSS 7.5). Weakness: CWE-770. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Mitigation checklist
Recommended fix / mitigation
- Upgrade github.com/hashicorp/memberlist to version 0.6.0 or later, which fixes the push/pull state handling issue. As a temporary mitigation, restrict network access to the gossip port (UDP/TCP, commonly 7946 or 9094) to trusted cluster members only, e.g. via network policy, firewall rules, or security groups, since the flaw requires network access to the gossip listener to trigger memory exhaustion.
Official advisory · high-confidence parse· fetched 3 minutes ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.