PT-2026-53004 · Fluentd+2 · Fluentd

Published

2026-06-26

·

Updated

2026-07-09

·

CVE-2026-44160

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions Fluentd versions prior to 1.19.3
Description The in http and in forward plugins support gzip-compressed data but only enforce size limits on the compressed payloads via settings like body size limit and chunk size limit. Because no limit is enforced on the size of the decompressed data, a crafted compressed payload can expand to an excessive size in memory during decompression. This leads to memory exhaustion and a Denial of Service (DoS), which may result in the operating system terminating the process and disrupting log collection and forwarding capabilities.
Recommendations Update to version 1.19.3. Restrict network access to Fluentd input ports, such as 9880 for in http and 24224 for in forward, ensuring they are only accessible within a closed, trusted network. Place a reverse proxy in front of Fluentd to handle gzip decompression and enforce strict limits on both compressed and uncompressed body sizes.

Exploit

Fix

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44160
GHSA-J9CW-HWQF-85W7

Affected Products

Fluentd