CVE-2026-0531
- Source
- https://cve.org/CVERecord?id=CVE-2026-0531
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-0531.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-0531
- Aliases
- Published
- 2026-01-13T21:15:50.990Z
- Modified
- 2026-02-02T21:35:20.402163Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana Fleet can lead to Excessive Allocation (CAPEC-130) via a specially crafted bulk retrieval request. This requires an attacker to have low-level privileges equivalent to the viewer role, which grants read access to agent policies. The crafted request can cause the application to perform redundant database retrieval operations that immediately consume memory until the server crashes and becomes unavailable to all users.
- References
Affected packages
Git / github.com/elastic/elasticsearch
Affected ranges
- Type
- GIT
- Repo
- https://github.com/elastic/elasticsearch
- Events
-
IntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixed
Database specific
vanir_signatures
[
{
"signature_type": "Function",
"source": "https://github.com/elastic/elasticsearch/commit/dfc5c38614c29a598e132c035b66160d3d350894",
"target": {
"file": "x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/scalar/spatial/StDistance.java",
"function": "fold"
},
"id": "CVE-2026-0531-15be47a0",
"signature_version": "v1",
"digest": {
"function_hash": "278167882145718049942096491203140322678",
"length": 244.0
},
"deprecated": false
},
{
"signature_type": "Line",
"source": "https://github.com/elastic/elasticsearch/commit/493241b351be6d9f40d52a1406c91a23b4148821",
"target": {
"file": "test/fixtures/testcontainer-utils/src/main/java/org/elasticsearch/test/fixtures/testcontainers/DockerEnvironmentAwareTestContainer.java"
},
"id": "CVE-2026-0531-16cfaa96",
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"258344890541146529362308908364216134780",
"276711326623458553987519304990542928707",
"65907780480252360110134333906730250805",
"340267526812692038651018623329885481993"
]
},
"deprecated": false
},
{
"signature_type": "Line",
"source": "https://github.com/elastic/elasticsearch/commit/580aff1a0064ce4c93293aaab6fcc55e22c10d1c",
"target": {
"file": "build-tools/src/main/java/org/elasticsearch/gradle/plugin/PluginBuildPlugin.java"
},
"id": "CVE-2026-0531-27c0ea2c",
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"325346763520944012913154789921944685178",
"61552211637263319266280212069306163976",
"238965232618491914774102510476003231761",
"91842554885795545908575250797740073380",
"41186032155842938062122952139992001177",
"26650412168015143841783692789907731833",
"156855889974115839096909303362391651478",
"5255688417597662836316466950746456815",
"267688007740415870942430918212022655160",
"123593297690308739122442988051348431664",
"207083930239604338592887667635525018029",
"285979066839997041627241454323751656105",
"89817169799828182270847485303899076995",
"259726165486981002704425065102702119655",
"228443004802496231376269442754123243387",
"110553570186771583072883260970124481256",
"159259824297904330471361141933251778658",
"15965688380580672478116053669808152101",
"33955976224007740005314928988632842514",
"189421514390395652693360186541539881292",
"235537949590647007651887994723552170873",
"160154105448877168464243405801723143273"
]
},
"deprecated": false
},
{
"signature_type": "Function",
"source": "https://github.com/elastic/elasticsearch/commit/dfc5c38614c29a598e132c035b66160d3d350894",
"target": {
"file": "x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/scalar/spatial/SpatialIntersects.java",
"function": "foldGeoGrid"
},
"id": "CVE-2026-0531-2ec69dbb",
"signature_version": "v1",
"digest": {
"function_hash": "311014547387809437110548933350288972876",
"length": 215.0
},
"deprecated": false
},
{
"signature_type": "Line",
"source": "https://github.com/elastic/elasticsearch/commit/dfc5c38614c29a598e132c035b66160d3d350894",
"target": {
"file": "x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/action/EsqlCapabilities.java"
},
"id": "CVE-2026-0531-30bc7877",
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"89445801202175325502738843967730067249",
"192039372488636267956404281949205265392",
"32429896819276073679516153726001938810"
]
},
"deprecated": false
},
{
"signature_type": "Function",
"source": "https://github.com/elastic/elasticsearch/commit/dfc5c38614c29a598e132c035b66160d3d350894",
"target": {
"file": "x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/scalar/spatial/SpatialRelatesUtils.java",
"function": "makeGeometryFromLiteralValue"
},
"id": "CVE-2026-0531-32f07d31",
"signature_version": "v1",
"digest": {
"function_hash": "254564567077244775693349926773822670932",
"length": 517.0
},
"deprecated": false
},
{
"signature_type": "Function",
"source": "https://github.com/elastic/elasticsearch/commit/dfc5c38614c29a598e132c035b66160d3d350894",
"target": {
"file": "x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/scalar/spatial/SpatialRelatesUtils.java",
"function": "asLuceneComponent2Ds"
},
"id": "CVE-2026-0531-429b3b83",
"signature_version": "v1",
"digest": {
"function_hash": "152274576639623713355926308042475482684",
"length": 330.0
},
"deprecated": false
},
{
"signature_type": "Line",
"source": "https://github.com/elastic/elasticsearch/commit/dfc5c38614c29a598e132c035b66160d3d350894",
"target": {
"file": "x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/scalar/spatial/SpatialContains.java"
},
"id": "CVE-2026-0531-476fd054",
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"289908624833291486394602649608945724777",
"182982455196979132601858365173822822733",
"113275466473144888852821617702148810203",
"232596456196954803630152947089961650661",
"172010652497322196176388420336492678967",
"333093167882707278206269849978879791958",
"107593237170993648987366503789174562535",
"158639637653948292192156723532982140970",
"320518281967884674260888170876056181231",
"308066354449496495932780769843307431410",
"59638868088854487319798954918275630978",
"257313696561606941788102017595516892785",
"252950549000890750165334822116866577968",
"25584037567455179930587038186226659627",
"247727639331087797681175124487032759759",
"212381941043612365152527091184086593507"
]
},
"deprecated": false
},
{
"signature_type": "Function",
"source": "https://github.com/elastic/elasticsearch/commit/580aff1a0064ce4c93293aaab6fcc55e22c10d1c",
"target": {
"file": "build-tools/src/main/java/org/elasticsearch/gradle/plugin/PluginBuildPlugin.java",
"function": "configurePublishing"
},
"id": "CVE-2026-0531-53cfa8b6",
"signature_version": "v1",
"digest": {
"function_hash": "217069498392094122099161240975043925563",
"length": 872.0
},
"deprecated": false
},
{
"signature_type": "Function",
"source": "https://github.com/elastic/elasticsearch/commit/dfc5c38614c29a598e132c035b66160d3d350894",
"target": {
"file": "x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/scalar/spatial/SpatialContains.java",
"function": "fold"
},
"id": "CVE-2026-0531-5493f5fb",
"signature_version": "v1",
"digest": {
"function_hash": "159882098396121362013834072495403138773",
"length": 428.0
},
"deprecated": false
},
{
"signature_type": "Line",
"source": "https://github.com/elastic/elasticsearch/commit/dfc5c38614c29a598e132c035b66160d3d350894",
"target": {
"file": "x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/scalar/spatial/SpatialIntersects.java"
},
"id": "CVE-2026-0531-5811b0ba",
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"159938584584814269812543824147788630694",
"143110200356496714021711330139444543498",
"81887352030714866154540202490724441707",
"52178537418449307904647133624897082463",
"244967273296151303242271194171202848668",
"259186396962059732710868935235549715372",
"328206604528049200914116295225183679618",
"186681308239638010316053364162442532414",
"222072532793014277540286489597378030686",
"160372123964887173666455588107404962840",
"309590420312847613445567834741805261785",
"321318697051798583276021409099369823566",
"162986565513426105783344080323858877579",
"156633525707808038414998470097071484516",
"107593237170993648987366503789174562535",
"142268023816213317712585340018420523158",
"34723623823228436863398487562378345072",
"286937004675321860303631726674952210681",
"332322607114068418715836460261357531931",
"25917120446254299741977760892606889887",
"195896218038627048772537545063185857690",
"79921938797154838838273988892745678432",
"9174842457029120972308439321794560998",
"210728420247665831362676487223023924863",
"167488062694071070512678292117466350779",
"122766229661884259171871029299979425221",
"107968378746460121059333452221558981867",
"167790967253397391148381246073235392333",
"286080849013434433443996633774646901494",
"261374999214591200845154318542724628883",
"171655665526437303387703693081957797340",
"251622944399437509025106012302033430325",
"3467085415612652550639979590159518007",
"120481717539309231246920891692751182654",
"305386927234164310588516403206895891376"
]
},
"deprecated": false
},
{
"signature_type": "Line",
"source": "https://github.com/elastic/elasticsearch/commit/dfc5c38614c29a598e132c035b66160d3d350894",
"target": {
"file": "x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/scalar/spatial/SpatialWithin.java"
},
"id": "CVE-2026-0531-5f6d3352",
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"159938584584814269812543824147788630694",
"143110200356496714021711330139444543498",
"81887352030714866154540202490724441707",
"52178537418449307904647133624897082463",
"244967273296151303242271194171202848668",
"259186396962059732710868935235549715372",
"332449505004726875131052391309198798245",
"100534791926322759627017705220079706938",
"139038619100505269137749935041499362430",
"317283197747076068523168770339515968281",
"11160651009169442642210369679935003384",
"308558021187776622897119460695003996086",
"107593237170993648987366503789174562535",
"158639637653948292192156723532982140970",
"195388415890610986362676117611441755329",
"36857685711674485203407194260084203897",
"210728420247665831362676487223023924863",
"167488062694071070512678292117466350779",
"122766229661884259171871029299979425221",
"107968378746460121059333452221558981867",
"167790967253397391148381246073235392333",
"286080849013434433443996633774646901494",
"240261223833770194560952454897867749991",
"222708066572920169778959658276263396234"
]
},
"deprecated": false
},
{
"signature_type": "Line",
"source": "https://github.com/elastic/elasticsearch/commit/580aff1a0064ce4c93293aaab6fcc55e22c10d1c",
"target": {
"file": "build-conventions/src/main/java/org/elasticsearch/gradle/internal/conventions/PublishPlugin.java"
},
"id": "CVE-2026-0531-7365feaf",
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"270464534409354986261763716525045464983",
"227207832886699725163045304921806508418",
"82592531520277924985580254628226686204",
"116285117003426191198584459082216742860",
"63126585333495968821346326973767482129",
"281915879393945016910658230161970023819",
"158179363007626669286354249716512138616",
"255192158583294586491439740642803969954"
]
},
"deprecated": false
},
{
"signature_type": "Function",
"source": "https://github.com/elastic/elasticsearch/commit/dfc5c38614c29a598e132c035b66160d3d350894",
"target": {
"file": "x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/scalar/spatial/SpatialRelatesUtils.java",
"function": "asGeometryDocValueReader"
},
"id": "CVE-2026-0531-926e3d86",
"signature_version": "v1",
"digest": {
"function_hash": "144794844672963001641414990553528666975",
"length": 386.0
},
"deprecated": false
},
{
"signature_type": "Function",
"source": "https://github.com/elastic/elasticsearch/commit/dfc5c38614c29a598e132c035b66160d3d350894",
"target": {
"file": "x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/scalar/spatial/SpatialDisjoint.java",
"function": "foldGeoGrid"
},
"id": "CVE-2026-0531-a5b7acd2",
"signature_version": "v1",
"digest": {
"function_hash": "311014547387809437110548933350288972876",
"length": 215.0
},
"deprecated": false
},
{
"signature_type": "Function",
"source": "https://github.com/elastic/elasticsearch/commit/dfc5c38614c29a598e132c035b66160d3d350894",
"target": {
"file": "x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/scalar/spatial/SpatialIntersects.java",
"function": "fold"
},
"id": "CVE-2026-0531-a6217ad2",
"signature_version": "v1",
"digest": {
"function_hash": "173481735762422087009412637049114840178",
"length": 704.0
},
"deprecated": false
},
{
"signature_type": "Function",
"source": "https://github.com/elastic/elasticsearch/commit/dfc5c38614c29a598e132c035b66160d3d350894",
"target": {
"file": "x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/scalar/spatial/SpatialRelatesUtils.java",
"function": "asLuceneComponent2D"
},
"id": "CVE-2026-0531-afae4b7d",
"signature_version": "v1",
"digest": {
"function_hash": "48950865824045045923768628888741655320",
"length": 310.0
},
"deprecated": false
},
{
"signature_type": "Line",
"source": "https://github.com/elastic/elasticsearch/commit/dfc5c38614c29a598e132c035b66160d3d350894",
"target": {
"file": "x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/scalar/spatial/SpatialDisjoint.java"
},
"id": "CVE-2026-0531-c92e3b1e",
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"159938584584814269812543824147788630694",
"143110200356496714021711330139444543498",
"81887352030714866154540202490724441707",
"52178537418449307904647133624897082463",
"244967273296151303242271194171202848668",
"259186396962059732710868935235549715372",
"328206604528049200914116295225183679618",
"186681308239638010316053364162442532414",
"222072532793014277540286489597378030686",
"160372123964887173666455588107404962840",
"294318522468788907779901659896812697273",
"61776288086765959844413420161156660555",
"231622719012071133769233912168819964790",
"234226274597108848761626425582553266989",
"107593237170993648987366503789174562535",
"142268023816213317712585340018420523158",
"34723623823228436863398487562378345072",
"286937004675321860303631726674952210681",
"332322607114068418715836460261357531931",
"25917120446254299741977760892606889887",
"195896218038627048772537545063185857690",
"79921938797154838838273988892745678432",
"9174842457029120972308439321794560998",
"210728420247665831362676487223023924863",
"167488062694071070512678292117466350779",
"122766229661884259171871029299979425221",
"107968378746460121059333452221558981867",
"167790967253397391148381246073235392333",
"286080849013434433443996633774646901494",
"261374999214591200845154318542724628883",
"171655665526437303387703693081957797340",
"251622944399437509025106012302033430325",
"3467085415612652550639979590159518007",
"120481717539309231246920891692751182654",
"305386927234164310588516403206895891376"
]
},
"deprecated": false
},
{
"signature_type": "Function",
"source": "https://github.com/elastic/elasticsearch/commit/dfc5c38614c29a598e132c035b66160d3d350894",
"target": {
"file": "x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/scalar/spatial/SpatialWithin.java",
"function": "fold"
},
"id": "CVE-2026-0531-cbbd2dba",
"signature_version": "v1",
"digest": {
"function_hash": "326133954559011318969718707268870334969",
"length": 397.0
},
"deprecated": false
},
{
"signature_type": "Line",
"source": "https://github.com/elastic/elasticsearch/commit/dfc5c38614c29a598e132c035b66160d3d350894",
"target": {
"file": "x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/scalar/spatial/BinarySpatialFunction.java"
},
"id": "CVE-2026-0531-d0b0c01c",
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"212005643762940819479152720089909839593",
"98132781130729259383633732127449641649",
"112692759347885544922991393791772594099",
"39727865364976163866822374595628810846",
"331673045678489387772777413600988679405",
"107713692413310480839763589421931946880",
"11402369503442891516471610581519168694",
"46288656724656729497436228900416938347",
"31625664630529446865965699865561504527",
"48987433020626652959425120381739172414",
"251200072850509167383075967730754450615",
"310472225133145836774580493563202575947",
"102042172792708064914895858504438679508",
"226739799159435422410410256622685923156",
"161565216367936501933943135847389720341",
"314535726435643681945163040695224827975",
"178039324672359300277518207498824601910",
"128497629522253437256595106105466532997",
"263997749384745038718994099605848982394",
"27235139341067072411491844337935239121",
"153781465205251298212755693690227746609",
"28920510398153752562178853731748539288"
]
},
"deprecated": false
},
{
"signature_type": "Function",
"source": "https://github.com/elastic/elasticsearch/commit/580aff1a0064ce4c93293aaab6fcc55e22c10d1c",
"target": {
"file": "build-conventions/src/main/java/org/elasticsearch/gradle/internal/conventions/PublishPlugin.java",
"function": "configurePublications"
},
"id": "CVE-2026-0531-d3514893",
"signature_version": "v1",
"digest": {
"function_hash": "189731854327035424288987977333441591101",
"length": 1603.0
},
"deprecated": false
},
{
"signature_type": "Line",
"source": "https://github.com/elastic/elasticsearch/commit/dfc5c38614c29a598e132c035b66160d3d350894",
"target": {
"file": "x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/scalar/spatial/StDistance.java"
},
"id": "CVE-2026-0531-d9931932",
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"273501711828316748765212740871437214055",
"21906773089885319547745233488798258231",
"244967273296151303242271194171202848668",
"259186396962059732710868935235549715372",
"171102295323267895517753208948375051630",
"247432046697029015804975974554718206434",
"215464165889090356303057440335870974069",
"308444351408490647764882565003741092259",
"104537635278078599117134923208817953894",
"248377113421987225636045537275314382254"
]
},
"deprecated": false
},
{
"signature_type": "Line",
"source": "https://github.com/elastic/elasticsearch/commit/dfc5c38614c29a598e132c035b66160d3d350894",
"target": {
"file": "x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/scalar/spatial/SpatialRelatesUtils.java"
},
"id": "CVE-2026-0531-db4f8ed0",
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"38606939774861271662348099041867697139",
"87952923863787264797523626985785477895",
"226528087147752931958870052810432943173",
"120843645902758838681273990887846087866",
"267175423646558406571187739535601307322",
"256417156206752032966833411289024589544",
"18067378875997226204376071184267016799",
"243675825527536951187645836504106074420",
"97122747342907763840661732133001898159",
"145635565430924610562494991402217137723",
"205872590019232641150066773679194891608",
"322535596472542320226330008421454041726",
"266975700825147177977031531115423145257",
"159226662257523133067825921788622807783",
"111970572951652597405249962375490779471",
"221446301059801561712396960554938826792"
]
},
"deprecated": false
},
{
"signature_type": "Function",
"source": "https://github.com/elastic/elasticsearch/commit/dfc5c38614c29a598e132c035b66160d3d350894",
"target": {
"file": "x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/scalar/spatial/SpatialDisjoint.java",
"function": "fold"
},
"id": "CVE-2026-0531-ddcdafcb",
"signature_version": "v1",
"digest": {
"function_hash": "173481735762422087009412637049114840178",
"length": 704.0
},
"deprecated": false
},
{
"signature_type": "Line",
"source": "https://github.com/elastic/elasticsearch/commit/dfc5c38614c29a598e132c035b66160d3d350894",
"target": {
"file": "x-pack/plugin/esql/src/main/java/org/elasticsearch/xpack/esql/expression/function/scalar/spatial/SpatialRelatesFunction.java"
},
"id": "CVE-2026-0531-e13bc4e8",
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"132987015820349844418094882577382691273",
"315975170795317379009017322126581601274",
"253527113401111806502529251158794993876",
"223788680151301375816883521600797932138",
"143688880268304979884947818371227706977",
"157001732430726903776219345449058442931",
"121158084312246201272588175974300618184",
"210576436712993427822596808735593374039",
"51462449986861376566976535804491286564",
"256633369140543351817861863396062899122",
"319883457680418667495202832565810368545",
"263507797271876387474053910029326846514",
"193112933182339323244338340440578190865"
]
},
"deprecated": false
}
]
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-0531.json"