Cyber Resilience

CVE-2026-26932

Medium

Published: 26 February 2026

Published
26 February 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score v3.1 5.7 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0045 36.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-26932 is a medium-severity Improper Validation of Array Index (CWE-129) vulnerability in Elasticsearch Packetbeat. Its CVSS base score is 5.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 36.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-26932 is an Improper Validation of Array Index vulnerability (CWE-129) in the PostgreSQL protocol parser within Packetbeat. This issue enables a Denial of Service via Input Data Manipulation (CAPEC-153), where an attacker can send a specially crafted packet that triggers a Go runtime panic, terminating the Packetbeat process. The vulnerability is present only when the pgsql protocol is explicitly enabled and configured to monitor traffic on the targeted port.

Attackers with adjacent network access (AV:A), low attack complexity (AC:L), and low privileges (PR:L) can exploit this without user interaction (UI:N) in an unchanged impact scope (S:U). Successful exploitation results in high availability impact (A:H) through process termination, with no effects on confidentiality (C:N) or integrity (I:N), as scored at CVSS 5.7 (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

The Elastic Security Advisory ESA-2026-10, detailed at https://discuss.elastic.co/t/packetbeat-8-19-11-9-2-5-security-update-esa-2026-10/385247, addresses this vulnerability with security updates for Packetbeat.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper Validation of Array Index (CWE-129) in the PostgreSQL protocol parser in Packetbeat can lead Denial of Service via Input Data Manipulation (CAPEC-153). An attacker can send a specially crafted packet causing a Go runtime panic that terminates the Packetbeat…

more

process. This vulnerability requires the pgsql protocol to be explicitly enabled and configured to monitor traffic on the targeted port.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
T1685 Disable or Modify Tools Defense Impairment
Adversaries may disable, degrade, or tamper with security tools or applications (e.
Why these techniques?

Vulnerability enables crafted packet exploitation to crash Packetbeat process (T1499.004 Application or System Exploitation); as a security monitoring tool this directly facilitates disabling/modifying defenses to evade detection (T1562.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0528Shared CWE-129
CVE-2026-41643Shared CWE-129
CVE-2026-32286Shared CWE-129
CVE-2026-40886Shared CWE-129
CVE-2026-33281Shared CWE-129
CVE-2025-71086Shared CWE-129
CVE-2025-21680Shared CWE-129
CVE-2025-69248Shared CWE-129
CVE-2026-32285Shared CWE-129
CVE-2026-25882Shared CWE-129

Affected Assets

elasticsearch
packetbeat
8.0.0 — 8.19.11 · 9.0.0 — 9.2.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of array indices and other input fields in the pgsql protocol parser before processing, blocking the crafted packets that trigger the Go runtime panic.

prevent

Limits the impact of resource exhaustion or process termination by enforcing denial-of-service protections on network-facing protocol handlers such as Packetbeat's pgsql parser.

prevent

Requires disabling the pgsql protocol module when not needed, eliminating the attack surface that only exists when the vulnerable parser is explicitly enabled.

References