CVE-2026-26932
Published: 26 February 2026
Summary
CVE-2026-26932 is a medium-severity Improper Validation of Array Index (CWE-129) vulnerability in Elasticsearch Packetbeat. Its CVSS base score is 5.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 36.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-7 (Least Functionality).
Deeper analysis
CVE-2026-26932 is an Improper Validation of Array Index vulnerability (CWE-129) in the PostgreSQL protocol parser within Packetbeat. This issue enables a Denial of Service via Input Data Manipulation (CAPEC-153), where an attacker can send a specially crafted packet that triggers a Go runtime panic, terminating the Packetbeat process. The vulnerability is present only when the pgsql protocol is explicitly enabled and configured to monitor traffic on the targeted port.
Attackers with adjacent network access (AV:A), low attack complexity (AC:L), and low privileges (PR:L) can exploit this without user interaction (UI:N) in an unchanged impact scope (S:U). Successful exploitation results in high availability impact (A:H) through process termination, with no effects on confidentiality (C:N) or integrity (I:N), as scored at CVSS 5.7 (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
The Elastic Security Advisory ESA-2026-10, detailed at https://discuss.elastic.co/t/packetbeat-8-19-11-9-2-5-security-update-esa-2026-10/385247, addresses this vulnerability with security updates for Packetbeat.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8864
Vulnerability details
Improper Validation of Array Index (CWE-129) in the PostgreSQL protocol parser in Packetbeat can lead Denial of Service via Input Data Manipulation (CAPEC-153). An attacker can send a specially crafted packet causing a Go runtime panic that terminates the Packetbeat…
more
process. This vulnerability requires the pgsql protocol to be explicitly enabled and configured to monitor traffic on the targeted port.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables crafted packet exploitation to crash Packetbeat process (T1499.004 Application or System Exploitation); as a security monitoring tool this directly facilitates disabling/modifying defenses to evade detection (T1562.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of array indices and other input fields in the pgsql protocol parser before processing, blocking the crafted packets that trigger the Go runtime panic.
Limits the impact of resource exhaustion or process termination by enforcing denial-of-service protections on network-facing protocol handlers such as Packetbeat's pgsql parser.
Requires disabling the pgsql protocol module when not needed, eliminating the attack surface that only exists when the vulnerable parser is explicitly enabled.