PatchSiren cyber security CVE debrief

CVE-2026-42399 Elastic CVE debrief

A denial-of-service vulnerability in Kibana's Timelion visualization engine allows authenticated low-privileged users to trigger uncontrolled memory consumption. The flaw stems from improper handling of deeply chained function calls in Timelion expressions, causing exponential growth of internal data structures that exhaust available memory and crash the Kibana service. This affects availability for all users of the affected instance. The vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption) with attack pattern CAPEC-130 (Excessive Allocation). Elastic has addressed this in security update ESA-2026-36.

Vendor: Elastic
Product: Kibana
CVSS: MEDIUM 6.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-28
Original CVE updated: 2026-05-29
Advisory published: 2026-05-28
Advisory updated: 2026-05-29

Who should care

Organizations running Kibana versions prior to 8.19.16 or 9.3.5 with Timelion visualization features enabled, particularly multi-tenant deployments where low-privileged users have visualization creation capabilities. Security teams monitoring for denial-of-service vectors in Elastic Stack deployments should prioritize this patch.

Technical summary

The vulnerability exists in Kibana's Timelion expression parser, which fails to enforce limits on function call chaining depth. When an authenticated user submits a malicious Timelion visualization containing deeply nested function invocations, the parser constructs an internal representation that grows exponentially in memory consumption. Without proper bounds checking or resource quotas, this leads to uncontrolled memory allocation, process termination, and complete service unavailability. The attack requires only low-privileged authentication and network access to the Kibana instance, with no user interaction required.

Defensive priority

medium

Recommended defensive actions

Upgrade Kibana to version 8.19.16 or 9.3.5 or later per Elastic security advisory ESA-2026-36
Restrict Timelion visualization creation privileges to trusted administrative users until patching is complete
Monitor Kibana instance memory utilization for anomalous growth patterns that may indicate exploitation attempts
Review application logs for unusual Timelion expression complexity or deeply nested function chains
Implement resource limits and memory constraints on Kibana processes where supported by deployment architecture

Evidence notes

Elastic security advisory ESA-2026-36 confirms patched versions 8.19.16 and 9.3.5. CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H yields score 6.5 (Medium). Vendor identification based on reference domain and [email protected] source attribution.

Official resources

2026-05-28