HashiCorp memberlist <0.6.0 DoS via Push/Pull Gossip Port
CVE-2026-14362 Published on July 8, 2026
Denial of service via crafted push/pull gossip message in memberlist
HashiCorp memberlist before version 0.6.0 is vulnerable to a denial-of-service issue in its push/pull state handling that may allow an attacker with network access to the gossip port to exhaust memory on a receiving node and cause the process to terminate. This vulnerability (CVE-2026-14362) is fixed in memberlist 0.6.0.
Weakness Type
Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.
Affected Versions
HashiCorp Shared library:- Version 0.1.5 and below 0.6.0 is affected.