Skip to main content

Prometheus EUVDEUVD-2026-27091

| CVE-2026-42154 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-05-04 GitHub_M GHSA-8rm2-7qqf-34qm
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
May 04, 2026 - 20:01 EUVD
Source Code Evidence Fetched
May 04, 2026 - 19:30 vuln.today
Analysis Generated
May 04, 2026 - 19:30 vuln.today

DescriptionCVE.org

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.

AnalysisAI

Memory exhaustion in Prometheus remote read endpoint allows unauthenticated attackers to crash the monitoring server via maliciously crafted snappy-compressed payloads. The /api/v1/read endpoint in versions prior to 3.5.3 and 3.11.3 accepts compressed request bodies without validating the declared decoded length, enabling a 5-byte payload claiming 256 MiB decoded size to trigger massive heap allocations. Concurrent requests can exhaust memory and crash the Prometheus process. EPSS data not provided; no evidence of active exploitation (not in CISA KEV). Vendor-released patches available in versions 3.5.3 and 3.11.3.

Technical ContextAI

Prometheus is a widely-deployed open-source monitoring and time series database system, commonly used in cloud-native and Kubernetes environments. The vulnerability resides in the remote read API endpoint (/api/v1/read), which accepts snappy-compressed protocol buffer requests for querying time series data. Snappy compression uses a stream format with a header declaring the decoded length before the actual compressed data. The flaw is a classic CWE-400 (Uncontrolled Resource Consumption) issue where the server trusts the client-supplied decoded length header without validation, allowing an attacker to send a tiny compressed payload (as small as 5 bytes) claiming a massive decoded size (e.g., 256 MiB). The vulnerable code path in storage/remote/codec.go's DecodeReadRequest() function allocates memory based on this untrusted header before decompression occurs. The fix implements a 32 MiB limit check (decodeReadLimit) on the declared decoded length using snappy.DecodedLen() before any memory allocation, rejecting payloads exceeding the threshold.

RemediationAI

Upgrade immediately to Prometheus version 3.5.3 or 3.11.3 depending on your release track (see https://github.com/prometheus/prometheus/releases/tag/v3.5.3 and https://github.com/prometheus/prometheus/releases/tag/v3.11.3). These versions implement decoded-length validation with a 32 MiB limit before memory allocation. If immediate patching is not feasible, implement network-level access controls: restrict /api/v1/read endpoint access to trusted internal networks only using firewall rules or reverse proxy ACLs; disable remote read functionality entirely if federated queries are not required (remove --web.enable-remote-read flag or equivalent configuration). Rate limiting at the reverse proxy/load balancer can reduce concurrent request impact but does not eliminate the vulnerability. Monitor memory usage closely for anomalies. Each mitigation has trade-offs: network restrictions may break legitimate federated monitoring; disabling remote read eliminates long-term storage query functionality; rate limiting adds operational complexity and may impact legitimate high-throughput queries.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server for SAP applications 16.0 Fixed
SUSE Manager Client Tools 15 Fixed

Share

EUVD-2026-27091 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy