CVE-2026-44160
Ruby Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-44160 is a Denial of Service (DoS) vulnerability in Fluentd's in_http and in_forward plugins caused by a gzip decompression bomb ("zip bomb") attack. Fluentd correctly enforces size limits on incoming compressed payloads via body_size_limit or chunk_size_limit, but no limit is enforced on the size of the decompressed data, allowing an attacker to bypass these controls entirely. All Fluentd versions up to and including 1.19.2 (RubyGems package) are affected; the issue was patched in v1.19.3. The advisory was published on June 26, 2026, with a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, Fluentd Release).

Détails techniques

The root cause is classified as CWE-409 (Improper Handling of Highly Compressed Data / Data Amplification): Fluentd decompresses gzip payloads in memory without enforcing any limit on the resulting uncompressed size, even though limits exist for the compressed input. An unauthenticated remote attacker can craft a small, highly compressed gzip payload (a "decompression bomb") and send it to Fluentd's HTTP input port (default: 9880) or forward input port (default: 24224). Upon decompression, the payload expands to an arbitrarily large size in memory, exhausting available RAM. No authentication or special privileges are required; the only precondition is network access to an exposed Fluentd input port (GitHub Advisory, Fluentd Security Advisory).

Impact

Successful exploitation causes rapid memory exhaustion on the host running Fluentd, which typically triggers an Out-of-Memory (OOM) kill of the Fluentd process by the operating system. This results in complete disruption of all log collection and forwarding capabilities on the affected node — a significant impact in environments where Fluentd serves as a central logging aggregator for cloud or Kubernetes infrastructure. There is no confidentiality or integrity impact; the vulnerability is purely an availability concern (GitHub Advisory).

Étapes d’exploitation

  1. Reconnaissance: Identify internet-facing Fluentd instances using network scanning tools (e.g., Shodan, Censys, or nmap) targeting default ports 9880 (in_http) or 24224 (in_forward).
  2. Craft decompression bomb: Create a gzip-compressed payload that is small in compressed form but expands to gigabytes when decompressed (e.g., using standard tools to compress a large file of repeated bytes, achieving compression ratios of 1000:1 or greater).
  3. Send malicious payload to in_http: Transmit the crafted gzip payload via an HTTP POST request to the Fluentd HTTP input endpoint (e.g., curl -X POST -H 'Content-Encoding: gzip' --data-binary @bomb.gz http://<target>:9880/<tag>). The compressed size stays within body_size_limit, bypassing the check.
  4. Trigger memory exhaustion: Fluentd decompresses the payload in memory with no upper bound on the decompressed size, rapidly consuming all available RAM on the host.
  5. Achieve DoS: The OS OOM killer terminates the Fluentd process, halting all log collection and forwarding on the affected node (GitHub Advisory, Fluentd Security Advisory).

Indicateurs de compromis

  • Network: Unexpected or anomalous HTTP POST requests to port 9880 (in_http) or TCP connections to port 24224 (in_forward) from untrusted or external IP addresses; requests with Content-Encoding: gzip headers carrying unusually small compressed payloads.
  • Logs: Fluentd process logs showing sudden termination without a graceful shutdown message; system logs (e.g., /var/log/syslog, journalctl) recording OOM kill events targeting the Fluentd process (e.g., Out of memory: Kill process <pid> (fluentd)).
  • Process/System: Sudden disappearance of the Fluentd process; spike in memory usage immediately preceding process termination visible in system monitoring tools (e.g., top, htop, Prometheus node exporter metrics); log pipeline gaps or missing log data from the affected node.

Atténuation et solutions de contournement

Upgrade Fluentd to version v1.19.3 or later, which enforces size limits on decompressed payloads in both in_http and in_forward plugins (PR #5393) (Fluentd Release). If an immediate upgrade is not possible, apply the following workarounds:

  • Restrict network access: Use firewall rules (e.g., iptables, AWS Security Groups) to block access to Fluentd input ports (9880 for in_http, 24224 for in_forward) from untrusted networks, limiting exposure to known, trusted sources only.
  • Use a reverse proxy: Place a reverse proxy such as Nginx in front of Fluentd for HTTP ingestion; configure the proxy to decompress gzip content and enforce strict limits on both compressed and uncompressed body sizes before forwarding traffic to Fluentd (GitHub Advisory).

Réactions de la communauté

The vulnerability was reported by security researcher "everping" and disclosed by Watson1978 (Fluentd maintainer) on June 26, 2026 (Fluentd Security Advisory). Several cybersecurity news outlets covered the broader set of Fluentd v1.19.3 security fixes, with some headlines emphasizing "critical RCE" risks alongside this DoS issue, though CVE-2026-44160 itself is specifically a DoS vulnerability. Coverage appeared on CyberSecurityNews, CyberPress, SecureBulletin, and VPNcentral, noting the potential impact on cloud and Kubernetes logging pipelines. Japan's JVN (JVN#36011274) also published an advisory, reflecting the vulnerability's relevance to Japanese enterprise environments.

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Ruby Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-44024CRITICAL9.8
  • Ruby logoRuby
  • ruby4.0-fluentd-kubernetes-daemonset-1.19
NonOuiJul 08, 2026
CVE-2026-44160HIGH7.5
  • Ruby logoRuby
  • ruby3.2-fluentd-kubernetes-daemonset-1.19
NonOuiJul 08, 2026
CVE-2026-44025HIGH7.5
  • Ruby logoRuby
  • ruby3.3-fluentd-kubernetes-daemonset-1.19
NonOuiJul 08, 2026
CVE-2026-38969HIGH7.5
  • Ruby logoRuby
  • ruby-webrick
NonOuiJul 02, 2026
CVE-2026-44161HIGH7.2
  • Ruby logoRuby
  • ruby4.0-fluentd-kubernetes-daemonset-1.19
NonOuiJul 08, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités