Memory Allocation with Excessive Size Value in Metricbeat Leading to Denial of Service
Memory Allocation with Excessive Size Value (CWE-789) in the Prometheus remote_write HTTP handler in Metricbeat can lead Denial of Service via Excessive Allocation (CAPEC-130).
Affected Versions:
- 8.x: All versions from 8.0.0 up to and including 8.19.12
- 9.x: All versions from 9.0.0 up to and including 9.2.4
Affected Configurations:
The Prometheus remote_write module is not enabled by default in Metricbeat, so this issue only affects users who have enabled it.
Solutions and Mitigations:
The issue is resolved in version 8.19.13, 9.2.5 .
For Users that Cannot Upgrade:
- Disable the remote_write module if it is not required for operations:
- Remove or comment out the Prometheus
remote_writeconfiguration block inmetricbeat.yml - Restart Metricbeat to apply changes
- Remove or comment out the Prometheus
- Restrict network access using firewall rules or network policies:
- Limit access to the
remote_writeendpoint to trusted Prometheus server IP addresses only - Use host: "localhost" binding if the Prometheus server runs on the same host
- Limit access to the
Indicators of Compromise (IOC)
Log Patterns:
- Metricbeat process termination with “out of memory" messages in system logs
- Repeated Metricbeat crashes or restarts when the Prometheus
remote_writemodule is enabled - OOM events in kernel logs
dmesgor container orchestration logs targeting the Metricbeat process
Audit Trail Indicators:
- Sudden memory consumption spikes in Metricbeat process metrics immediately preceding process termination
- Network connections from unexpected or unauthorized source IP addresses to the
remote_writeendpoint port
Severity: CVSSv3.1: Medium ( 5.7 ) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2026-26931
Problem Type: CWE-789 - Memory Allocation with Excessive Size Value
Impact: CAPEC-130 - Excessive Allocation