websafe-kb/08-threat-intel/registry/advisories/kibana--0fcd01159e.json

{
  "canonical_id": "kibana--0fcd01159e",
  "system_id": "kibana",
  "display_name": "Kibana",
  "category": "platforms",
  "advisory_mode": "core",
  "title": "Packetbeat 8.19.11, 9.2.5 Security Update (ESA-2026-11)",
  "summary": "<p><strong>Improper Validation of Array Index in Packetbeat Leading to Denial of Service</strong></p>\n<p>Improper Validation of Array Index (CWE-129) in multiple protocol parser components in Packetbeat can lead Denial of Service via Input Data Manipulation (CAPEC-153). An attacker with the ability to send specially crafted, malformed network packets to a monitored network interface can trigger out-of-bounds read operations, resulting in application crashes or resource exhaustion. This requires the attacker to be positioned on the same network segment as the Packetbeat deployment or to control traffic routed to monitored interfaces.</p>\n<p><strong>Affected Versions:</strong></p>\n<ul>\n<li>8.x: All versions from 8.0.0 up to and including 8.19.10</li>\n<li>9.x: All versions from 9.0.0 up to and including 9.2.4</li>\n</ul>\n<p><strong>Affected Configurations:</strong><br>\nPacketbeat protocol parsing is enabled by default for configured protocols. Network traffic capture requires explicit configuration of network interfaces and protocols to monitor in packetbeat.yml. The vulnerable parsers are only active when their respective protocols are explicitly enabled in the configuration.</p>\n<p><strong>Solutions and Mitigations:</strong></p>\n<p>The issue is resolved in version 8.19.11, 9.2.5.</p>\n<p><strong>For Users that Cannot Upgrade:</strong></p>\n<p>Network Segmentation: Ensure Packetbeat instances only monitor trusted network segments and implement network-level controls to prevent untrusted sources from sending traffic to monitored interfaces. This will reduce the likelihood of exploitation.</p>\n<p><strong>Indicators of Compromise (IOC)</strong></p>\n<ul>\n<li>Frequent panic/crash events in Packetbeat logs</li>\n<li>Error messages related to index out of range or slice bounds violations</li>\n<li>Repeated restarts of the Packetbeat process</li>\n</ul>\n<p><strong>Severity:</strong> CVSSv3.1: Medium ( 5.7 ) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H<br>\n<strong>CVE ID</strong>:  CVE-2026-26933<br>\n<strong>Problem Type:</strong> CWE-129 - Improper Validation of Array Index<br>\n<strong>Impact:</strong> CAPEC-153 - Input Data Manipulation</p>\n            <p><small>1 post - 1 participant</small></p>\n            <p><a href=\"https://discuss.elastic.co/t/packetbeat-8-19-11-9-2-5-security-update-esa-2026-11/385533\">Read full topic</a></p>",
  "published_at": "Thu, 19 Mar 2026 16:56:17 +0000",
  "updated_at": "Thu, 19 Mar 2026 16:56:17 +0000",
  "severity": "unknown",
  "cvss_score": null,
  "exploit_status": "unknown",
  "source_confidence": "official",
  "official_source_url": "https://discuss.elastic.co/t/packetbeat-8-19-11-9-2-5-security-update-esa-2026-11/385533",
  "secondary_source_urls": [],
  "aliases": [],
  "cve_ids": [],
  "ghsa_ids": [],
  "osv_ids": [],
  "affected_versions": [],
  "fixed_versions": [],
  "package_name": null,
  "render_markdown": false,
  "case_path": null,
  "secure_code_topics": [
    "authz-server-side-recheck",
    "xss-output-encoding",
    "proxy-trust-boundary"
  ],
  "status": "triage",
  "triage_reasons": [
    "missing affected/fixed version details"
  ],
  "entity_refs": [
    {
      "entity_id": "kibana",
      "entity_type": "system",
      "relation": "root-system",
      "root_system_id": "kibana",
      "official": true
    }
  ],
  "affected_components": [
    {
      "name": "Kibana",
      "entity_id": "kibana",
      "scope": "core",
      "package_name": null,
      "official": true
    }
  ],
  "affected_version_ranges": [],
  "fixed_version_ranges": [],
  "introduced_version": null,
  "patched_version": null,
  "version_evidence_sources": [
    "https://discuss.elastic.co/t/packetbeat-8-19-11-9-2-5-security-update-esa-2026-11/385533"
  ],
  "advisory_scope": "core",
  "version_confidence": "low",
  "version_gap_reason": "official bulletin or aggregated source did not expose explicit affected/fixed versions",
  "version_resolution_needed": true,
  "workflow": {
    "workflow_id": "kibana--0fcd01159e--workflow",
    "vuln_family": "xss",
    "entry_surface": "web-ui-render-path",
    "preconditions": [
      "\u4ec5\u5728 lab-local\u3001lab-public \u6216\u660e\u786e\u6388\u6743\u76ee\u6807\u4e2d\u6267\u884c\u3002",
      "\u786e\u8ba4\u76ee\u6807\u547d\u4e2d\u7248\u672c\u65ad\u8a00: \u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d",
      "\u82e5\u5bf9\u8c61\u5c5e\u4e8e `core`\uff0c\u5148\u786e\u8ba4\u6269\u5c55/\u4ed3\u5e93/\u5305\u5df2\u542f\u7528\u5e76\u5904\u4e8e\u53d7\u5f71\u54cd\u7248\u672c\u3002"
    ],
    "required_role": "editor-or-admin",
    "affected_version_assertion": [
      "\u9700\u8981\u4ece\u516c\u544a\u3001\u9501\u6587\u4ef6\u3001\u7248\u672c\u9875\u6216\u5173\u4e8e\u9875\u9762\u4eba\u5de5\u786e\u8ba4\u7248\u672c\u547d\u4e2d"
    ],
    "trigger_vector": "\u5bf9 `xss` \u5bb6\u65cf\u5165\u53e3\u6295\u9012\u6700\u5c0f\u5316\u3001\u53ef\u5ba1\u8ba1\u3001\u53ef\u56de\u6eda\u7684\u53d7\u63a7\u8f93\u5165\uff0c\u6bd4\u8f83\u4fee\u590d\u524d\u540e\u5dee\u5f02\u3002",
    "request_or_ui_path": [
      "/admin/editor",
      "/preview",
      "/rendered-content"
    ],
    "input_shape": "\u53d7\u63a7 HTML/Markdown/\u5bcc\u6587\u672c\u8f93\u5165\uff0c\u89c2\u5bdf\u6e32\u67d3\u4e0a\u4e0b\u6587\u662f\u5426\u5931\u53bb\u7f16\u7801\u6216\u51c0\u5316\u3002",
    "expected_unsafe_behavior": "\u8f93\u5165\u5728\u76ee\u6807\u4e0a\u4e0b\u6587\u6267\u884c\u6216\u88ab\u6d4f\u89c8\u5668\u89e3\u91ca\u4e3a\u4e3b\u52a8\u5185\u5bb9\u3002",
    "server_evidence_points": [
      "\u5e94\u7528\u65e5\u5fd7\u4e2d\u7684\u547d\u4e2d\u8def\u5f84\u3001\u9274\u6743\u51b3\u7b56\u548c\u5f02\u5e38\u6808",
      "\u53cd\u5411\u4ee3\u7406\u6216\u8fb9\u754c\u5c42\u65e5\u5fd7\u4e2d\u7684\u8bf7\u6c42\u5934\u3001\u6765\u6e90 IP \u4e0e\u8def\u7531\u51b3\u7b56"
    ],
    "browser_evidence_points": [
      "\u57fa\u7ebf\u622a\u56fe\u4e0e\u653b\u51fb\u540e\u622a\u56fe\u7684 DOM/\u89c6\u89c9\u5dee\u5f02",
      "console\u3001network \u4e0e response metadata \u4e2d\u7684\u5f02\u5e38\u4fe1\u53f7"
    ],
    "db_or_fs_evidence_points": [
      "\u6570\u636e\u5e93\u4e2d\u65b0\u589e/\u8d8a\u6743\u8bfb\u53d6\u7684\u6d4b\u8bd5\u6570\u636e",
      "\u6587\u4ef6\u7cfb\u7edf\u4e2d\u65b0\u589e\u4e0a\u4f20\u6837\u672c\u3001\u7f13\u5b58\u6761\u76ee\u6216\u8d8a\u6743\u8bfb\u53d6\u75d5\u8ff9"
    ],
    "detection_signals": [
      "WAF / reverse proxy \u5f02\u5e38\u65e5\u5fd7\u3001\u8bbf\u95ee\u65e5\u5fd7\u548c\u544a\u8b66",
      "\u5e94\u7528\u5ba1\u8ba1\u65e5\u5fd7\u4e2d\u7684\u6743\u9650\u9519\u8bef\u3001\u91cd\u5b9a\u5411\u5f02\u5e38\u3001\u6a21\u677f\u6e32\u67d3\u6216\u4e0a\u4f20\u843d\u76d8\u4e8b\u4ef6"
    ],
    "mitigation_summary": "\u4f18\u5148\u5347\u7ea7\u5230\u4fee\u590d\u7248\u672c\uff0c\u5e76\u540c\u65f6\u6536\u7d27\u8f93\u5165\u6821\u9a8c\u3001\u670d\u52a1\u7aef\u9274\u6743\u3001\u4ee3\u7406\u4fe1\u4efb\u8fb9\u754c\u3001\u6269\u5c55\u5b89\u88c5\u4fe1\u4efb\u548c\u5ba1\u8ba1\u65e5\u5fd7\u3002",
    "patch_validation_steps": [
      "\u786e\u8ba4\u76ee\u6807\u7248\u672c\u4ece `\u53d7\u5f71\u54cd\u7248\u672c\u533a\u95f4` \u5347\u7ea7\u6216\u56de\u79fb\u5230 `\u4fee\u590d\u7248\u672c`\u3002",
      "\u4fdd\u7559\u540c\u4e00\u7ec4\u53d7\u63a7\u8f93\u5165\uff0c\u5728\u4fee\u590d\u524d\u540e\u5206\u522b\u6267\u884c\u5e76\u6bd4\u5bf9\u54cd\u5e94\u3001\u65e5\u5fd7\u4e0e\u6d4f\u89c8\u5668\u8bc1\u636e\u3002",
      "\u786e\u8ba4\u4fee\u590d\u540e\u4ec5\u4fdd\u7559\u9884\u671f\u4e1a\u52a1\u884c\u4e3a\uff0c\u4e0d\u518d\u89e6\u53d1\u8d8a\u6743\u3001\u56de\u663e\u3001\u5f02\u5e38\u6e32\u67d3\u6216\u9519\u8bef\u8bf7\u6c42\u3002",
      "\u8865\u5145 `xss` \u65cf\u81ea\u52a8\u5316\u56de\u5f52\uff0c\u907f\u514d\u540c\u7c7b\u8def\u5f84\u5728\u63d2\u4ef6\u3001\u4e3b\u9898\u6216\u4ee3\u7406\u94fe\u4e2d\u56de\u5f52\u3002"
    ],
    "lab_safety_notes": [
      "\u53ea\u4f7f\u7528\u56de\u73af\u5730\u5740\u3001\u54e8\u5175\u76ee\u6807\u3001\u65e0\u5bb3\u6837\u672c\u6216\u53ef\u56de\u6eda\u6d4b\u8bd5\u6570\u636e\u3002",
      "\u7981\u6b62\u9020\u6210\u6301\u4e45\u7834\u574f\u3001\u8d8a\u6743\u4e0b\u8f7d\u771f\u5b9e\u6570\u636e\u6216\u4e0d\u53ef\u56de\u6eda side effect\u3002",
      "\u5982\u9700\u6d4f\u89c8\u5668\u8bc1\u636e\uff0c\u4fdd\u7559 baseline / proof \u4e24\u4efd\u5feb\u7167\u4ee5\u53ca console / network \u8bb0\u5f55\u3002"
    ],
    "review_state": "needs-version-gap-review"
  },
  "verification_status": "triage-manual",
  "verification_mode": "synthetic",
  "last_verified_at": null,
  "last_run_id": null,
  "evidence_bundle": null,
  "historical_status": null,
  "latest_status": null,
  "browser_evidence": {
    "required": false,
    "present": false,
    "refs": []
  },
  "repro_profile_id": "xss-generic",
  "artifact_mode": "synthetic",
  "blocked_reason": null,
  "metadata": {
    "source_names": [
      "Elastic Security Announcements RSS"
    ],
    "source_kinds": [
      "rss-feed"
    ],
    "candidate_count": 1,
    "entity_ref_count": 1,
    "advisory_scope": "core",
    "version_confidence": "low",
    "workflow_id": "kibana--0fcd01159e--workflow"
  }
}