Cyber Posture

CVE-2026-26932

Medium

Published: 26 February 2026

Published
26 February 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score 5.7 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0003 8.2th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26932 is a medium-severity Improper Validation of Array Index (CWE-129) vulnerability in Elasticsearch Packetbeat. Its CVSS base score is 5.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004) and 1 other technique.
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
T1562.001 Disable or Modify Tools Stealth
Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.
attack.mitre.org →
Why these techniques?

Vulnerability enables crafted packet exploitation to crash Packetbeat process (T1499.004 Application or System Exploitation); as a security monitoring tool this directly facilitates disabling/modifying defenses to evade detection (T1562.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Validation of Array Index (CWE-129) in the PostgreSQL protocol parser in Packetbeat can lead Denial of Service via Input Data Manipulation (CAPEC-153). An attacker can send a specially crafted packet causing a Go runtime panic that terminates the Packetbeat…

more

process. This vulnerability requires the pgsql protocol to be explicitly enabled and configured to monitor traffic on the targeted port.

Deeper analysisAI

CVE-2026-26932 is an Improper Validation of Array Index vulnerability (CWE-129) in the PostgreSQL protocol parser within Packetbeat. This issue enables a Denial of Service via Input Data Manipulation (CAPEC-153), where an attacker can send a specially crafted packet that triggers a Go runtime panic, terminating the Packetbeat process. The vulnerability is present only when the pgsql protocol is explicitly enabled and configured to monitor traffic on the targeted port.

Attackers with adjacent network access (AV:A), low attack complexity (AC:L), and low privileges (PR:L) can exploit this without user interaction (UI:N) in an unchanged impact scope (S:U). Successful exploitation results in high availability impact (A:H) through process termination, with no effects on confidentiality (C:N) or integrity (I:N), as scored at CVSS 5.7 (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

The Elastic Security Advisory ESA-2026-10, detailed at https://discuss.elastic.co/t/packetbeat-8-19-11-9-2-5-security-update-esa-2026-10/385247, addresses this vulnerability with security updates for Packetbeat.

Details

CWE(s)
CWE-129

Affected Products

elasticsearch
packetbeat
8.0.0 — 8.19.11 · 9.0.0 — 9.2.5

CVEs Like This One

CVE-2026-33281Shared CWE-129
CVE-2026-40886Shared CWE-129
CVE-2026-0528Shared CWE-129
CVE-2024-45569Shared CWE-129
CVE-2025-71086Shared CWE-129
CVE-2026-25882Shared CWE-129
CVE-2025-21680Shared CWE-129
CVE-2025-69248Shared CWE-129
CVE-2026-32285Shared CWE-129
CVE-2024-45582Shared CWE-129

References