HCSEC-2026-18 - Memberlist vulnerable to denial of service via gossip message

Bulletin ID: HCSEC-2026-18

Affected Products / Versions: memberlist up to 0.5.4; fixed in 0.6.0.

Publication Date: July 8, 2026

Summary

HashiCorp memberlist before version 0.6.0 is vulnerable to a denial-of-service issue in its push/pull state handling that may allow an attacker with network access to the gossip port to exhaust memory on a receiving node and cause the process to terminate. This vulnerability (CVE-2026-14362) is fixed in memberlist 0.6.0.

Background

HashiCorp memberlist is a Go library that manages cluster membership and failure detection using a gossip-based protocol, and is embedded in HashiCorp products including Consul and Nomad. As part of state synchronization, nodes periodically exchange full membership and user state through a push/pull exchange over TCP, in which a message header declares the number of nodes and the size of the user state that follow.

Details

When a node received a push/pull state message, memberlist used the node count and user state length declared in the message header to pre-allocate memory before reading the remainder of the message, without validating those values against the actual message size or any upper bound. An attacker with network access to the gossip port could send a small, crafted message whose header declares very large values, causing the receiver to attempt an excessive memory allocation and be terminated, resulting in a denial of service. In clustered deployments, repeated requests could keep affected nodes unavailable. The affected path does not require authentication when gossip encryption is not enabled, which is the default configuration; clusters that enable gossip encryption require the shared key to communicate on the gossip port and are only exposed to authenticated exploitation of this issue.

Remediation

Customers should evaluate the risk associated with this issue and consider upgrading to memberlist 0.6.0, Consul 2.0.2, or Nomad 2.0.4. Customers who are unable to upgrade immediately can mitigate unauthenticated exploitation of this issue by enabling gossip encryption.

Acknowledgement

This issue was reported to HashiCorp by Andy Gill of ZephrSec.

We deeply appreciate any effort to coordinate disclosure of security vulnerabilities. For information about security at HashiCorp and the reporting of security vulnerabilities, please see https://hashicorp.com/security.