Impact
A privileged user can submit a specially crafted machine learning request that forces Elasticsearch to allocate an excessive amount of memory, eventually exhausting available resources and making the node unavailable. This vulnerability is an instance of resource exhaustion (CWE‑770) that leads to denial of service by causing the node to become unresponsive.
Affected Systems
Elastic: Elasticsearch. No specific version range is listed in the data, but the vendor advisory references security updates for Elasticsearch 8.19.17, 9.3.6, and 9.4.3.
Risk and Exploitability
The CVSS score of 4.9 classifies the vulnerability as low‑to‑medium severity, and it is not present in the CISA KEV catalog. The EPSS score is not available, so the likelihood of exploitation is unclear. The attack requires elevated privileges and the ability to submit machine‑learning requests; without such access, remote exploitation is unlikely. If a privileged user has this ability, the risk of a denial‑of‑service incident is significant for the affected node.
OpenCVE Enrichment