
PEACH
Un cadre d’isolation des locataires
CVE-2026-44160 is a Denial of Service (DoS) vulnerability in Fluentd's in_http and in_forward plugins caused by a gzip decompression bomb ("zip bomb") attack. Fluentd correctly enforces size limits on incoming compressed payloads via body_size_limit or chunk_size_limit, but no limit is enforced on the size of the decompressed data, allowing an attacker to bypass these controls entirely. All Fluentd versions up to and including 1.19.2 (RubyGems package) are affected; the issue was patched in v1.19.3. The advisory was published on June 26, 2026, with a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, Fluentd Release).
The root cause is classified as CWE-409 (Improper Handling of Highly Compressed Data / Data Amplification): Fluentd decompresses gzip payloads in memory without enforcing any limit on the resulting uncompressed size, even though limits exist for the compressed input. An unauthenticated remote attacker can craft a small, highly compressed gzip payload (a "decompression bomb") and send it to Fluentd's HTTP input port (default: 9880) or forward input port (default: 24224). Upon decompression, the payload expands to an arbitrarily large size in memory, exhausting available RAM. No authentication or special privileges are required; the only precondition is network access to an exposed Fluentd input port (GitHub Advisory, Fluentd Security Advisory).
Successful exploitation causes rapid memory exhaustion on the host running Fluentd, which typically triggers an Out-of-Memory (OOM) kill of the Fluentd process by the operating system. This results in complete disruption of all log collection and forwarding capabilities on the affected node — a significant impact in environments where Fluentd serves as a central logging aggregator for cloud or Kubernetes infrastructure. There is no confidentiality or integrity impact; the vulnerability is purely an availability concern (GitHub Advisory).
curl -X POST -H 'Content-Encoding: gzip' --data-binary @bomb.gz http://<target>:9880/<tag>). The compressed size stays within body_size_limit, bypassing the check.in_http) or TCP connections to port 24224 (in_forward) from untrusted or external IP addresses; requests with Content-Encoding: gzip headers carrying unusually small compressed payloads./var/log/syslog, journalctl) recording OOM kill events targeting the Fluentd process (e.g., Out of memory: Kill process <pid> (fluentd)).top, htop, Prometheus node exporter metrics); log pipeline gaps or missing log data from the affected node.Upgrade Fluentd to version v1.19.3 or later, which enforces size limits on decompressed payloads in both in_http and in_forward plugins (PR #5393) (Fluentd Release). If an immediate upgrade is not possible, apply the following workarounds:
iptables, AWS Security Groups) to block access to Fluentd input ports (9880 for in_http, 24224 for in_forward) from untrusted networks, limiting exposure to known, trusted sources only.The vulnerability was reported by security researcher "everping" and disclosed by Watson1978 (Fluentd maintainer) on June 26, 2026 (Fluentd Security Advisory). Several cybersecurity news outlets covered the broader set of Fluentd v1.19.3 security fixes, with some headlines emphasizing "critical RCE" risks alongside this DoS issue, though CVE-2026-44160 itself is specifically a DoS vulnerability. Coverage appeared on CyberSecurityNews, CyberPress, SecureBulletin, and VPNcentral, noting the potential impact on cloud and Kubernetes logging pipelines. Japan's JVN (JVN#36011274) also published an advisory, reflecting the vulnerability's relevance to Japanese enterprise environments.
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."