DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-26931: CVE-2026-26931: Denial of Service via Decompression Bomb in Elastic Metricbeat Prometheus remote_write

#security #cve #cybersecurity

CVE-2026-26931: Denial of Service via Decompression Bomb in Elastic Metricbeat Prometheus remote_write

Vulnerability ID: CVE-2026-26931
CVSS Score: 5.7
Published: 2026-03-19

Elastic Metricbeat is vulnerable to an unauthenticated Denial of Service (DoS) attack via a memory exhaustion flaw in the Prometheus remote_write HTTP handler. The vulnerability stems from insufficient validation of declared uncompressed sizes within Snappy-compressed payloads, allowing an attacker to trigger an Out-of-Memory (OOM) process termination.

TL;DR

A CWE-789 vulnerability in Elastic Metricbeat's Prometheus remote_write module allows network attackers to crash the service. Sending a crafted Snappy payload with a spoofed decompressed size forces the process to allocate excessive memory, triggering the OOM killer.

Technical Details

  • CWE ID: CWE-789
  • Attack Vector: Adjacent Network (AV:A)
  • CVSS Score: 5.7 (Medium)
  • Impact: Denial of Service (OOM Process Crash)
  • Exploit Status: Unexploited
  • CISA KEV: Not Listed

Affected Systems

  • Elastic Metricbeat (Prometheus remote_write module)
  • Metricbeat: 8.0.0 <= v <= 8.19.12 (Fixed in: 8.19.13)
  • Metricbeat: 9.0.0 <= v <= 9.2.4 (Fixed in: 9.2.5)

Code Analysis

Commit: de072c4

Add configuration to limit remote_write payload sizes and validate Snappy decompression size.

Mitigation Strategies

  • Upgrade Elastic Metricbeat to the designated patched versions.
  • Disable the Prometheus remote_write module if not actively used.
  • Implement network access controls restricting connections to port 9201.

Remediation Steps:

  1. Identify all deployed Metricbeat instances utilizing the prometheus module and remote_write metricset.
  2. Upgrade the Metricbeat binary to version 8.19.13 (for 8.x deployments) or 9.2.5 (for 9.x deployments).
  3. Review the new configuration parameters max_compressed_body_bytes and max_decoded_body_bytes to ensure they accommodate existing telemetry volumes.
  4. Restart the Metricbeat service to apply the updated binary and configuration.

References

Read the full report for CVE-2026-26931 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)