Improper Validation of Array Index in Packetbeat Leading to Denial of Service
Improper Validation of Array Index (CWE-129) in multiple protocol parser components in Packetbeat can lead Denial of Service via Input Data Manipulation (CAPEC-153). An attacker with the ability to send specially crafted, malformed network packets to a monitored network interface can trigger out-of-bounds read operations, resulting in application crashes or resource exhaustion. This requires the attacker to be positioned on the same network segment as the Packetbeat deployment or to control traffic routed to monitored interfaces.
Affected Versions:
- 8.x: All versions from 8.0.0 up to and including 8.19.10
- 9.x: All versions from 9.0.0 up to and including 9.2.4
Affected Configurations:
Packetbeat protocol parsing is enabled by default for configured protocols. Network traffic capture requires explicit configuration of network interfaces and protocols to monitor in packetbeat.yml. The vulnerable parsers are only active when their respective protocols are explicitly enabled in the configuration.
Solutions and Mitigations:
The issue is resolved in version 8.19.11, 9.2.5.
For Users that Cannot Upgrade:
Network Segmentation: Ensure Packetbeat instances only monitor trusted network segments and implement network-level controls to prevent untrusted sources from sending traffic to monitored interfaces. This will reduce the likelihood of exploitation.
Indicators of Compromise (IOC)
- Frequent panic/crash events in Packetbeat logs
- Error messages related to index out of range or slice bounds violations
- Repeated restarts of the Packetbeat process
Severity: CVSSv3.1: Medium ( 5.7 ) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE ID: CVE-2026-26933
Problem Type: CWE-129 - Improper Validation of Array Index
Impact: CAPEC-153 - Input Data Manipulation