Prometheus: remote read endpoint allows denial of service via crafted snappy payload
Summary
| CVE | CVE-2026-42154 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-04 19:16:04 UTC |
| Updated | 2026-07-09 13:17:09 UTC |
| Description | Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS: 0.000200000 probability, percentile 0.057960000 (date 2026-05-12)
Problem Types: CWE-400 | CWE-789 | CWE-770 | CWE-400 CWE-400: Uncontrolled Resource Consumption | CWE-789 CWE-789: Memory Allocation with Excessive Size Value | CWE-770 Allocation of Resources Without Limits or Throttling
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | CNA | DECLARED | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Prometheus | Prometheus | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Prometheus | Prometheus | affected < 3.5.3 | Not specified |
| CNA | Prometheus | Prometheus | affected >= 3.6.0, < 3.11.3 | Not specified |
| ADP | Red Hat | RHEM 1.0 For RHEL 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream V. 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux AppStream V. 9 | Not specified | Not specified |
| ADP | Red Hat | Logging Subsystem For Red Hat OpenShift 6.4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Advanced Cluster Management For Kubernetes 2.13 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Edge Manager 1.0 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Hardened Images | Not specified | Not specified |
| ADP | Red Hat | File Integrity Operator | Not specified | Not specified |
| ADP | Red Hat | Logging Subsystem For Red Hat OpenShift | Not specified | Not specified |
| ADP | Red Hat | Multicluster Global Hub | Not specified | Not specified |
| ADP | Red Hat | Network Observability Operator | Not specified | Not specified |
| ADP | Red Hat | OpenShift Lightspeed | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ceph Storage 5 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ceph Storage 6 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ceph Storage 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ceph Storage 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Ceph Storage 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Edge Manager 1 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift Container Platform 4 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift GitOps | Not specified | Not specified |
| ADP | Red Hat | Red Hat Quay 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Trusted Artifact Signer | Not specified | Not specified |
| ADP | Red Hat | OpenShift Service Mesh 2 | Not specified | Not specified |
| ADP | Red Hat | OpenShift Service Mesh 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Advanced Cluster Management For Kubernetes 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenStack Platform 18.0 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:34357 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:29770 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36651 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:30651 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm | [email protected] | github.com | Vendor Advisory |
| github.com/prometheus/prometheus/pull/18585 | [email protected] | github.com | Issue Tracking, Patch |
| github.com/prometheus/prometheus/pull/18584 | [email protected] | github.com | Issue Tracking, Patch |
| access.redhat.com/errata/RHSA-2026:34364 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42154.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| github.com/prometheus/prometheus/releases/tag/v3.5.3 | [email protected] | github.com | Release Notes |
| access.redhat.com/errata/RHSA-2026:25039 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36796 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-42154 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:34359 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/prometheus/prometheus/releases/tag/v3.11.3 | [email protected] | github.com | Release Notes |
| access.redhat.com/errata/RHSA-2026:25245 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-05-04T19:02:19.626Z | Reported to Red Hat. |
| ADP | 2026-05-04T18:13:12.340Z | Made public. |
Solutions
ADP: RHSA-2026:36796: RHEM 1.0 for RHEL 9
ADP: RHSA-2026:34357: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:34359: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:34364: Logging Subsystem for Red Hat OpenShift 6.4
ADP: RHSA-2026:30651: Red Hat Advanced Cluster Management for Kubernetes 2.13
ADP: RHSA-2026:36651: Red Hat Edge Manager 1.0
ADP: RHSA-2026:25039: Red Hat Hardened Images
ADP: RHSA-2026:29770: Red Hat Hardened Images
ADP: RHSA-2026:25245: Red Hat Hardened Images