Packetbeat GO: Array Index Validation Flaw Enables DoS via Packet Poisoning
CVE-2026-26932 Published on February 26, 2026
Improper Validation of Array Index in Packetbeat Leading to Denial of Service
Improper Validation of Array Index (CWE-129) in the PostgreSQL protocol parser in Packetbeat can lead Denial of Service via Input Data Manipulation (CAPEC-153). An attacker can send a specially crafted packet causing a Go runtime panic that terminates the Packetbeat process. This vulnerability requires the pgsql protocol to be explicitly enabled and configured to monitor traffic on the targeted port.
Vulnerability Analysis
Weakness Type
What is an out-of-bounds array index Vulnerability?
The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.
CVE-2026-26932 has been classified to as an out-of-bounds array index vulnerability or weakness.
Affected Versions
Elastic Packetbeat:- Version 9.0.0, <= 9.2.4 is affected.
- Version 8.0.0, <= 8.19.10 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.