Home

Description

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.

PUBLISHED Reserved 2026-04-24 | Published 2026-05-04 | Updated 2026-05-04 | Assigner GitHub_M




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-400: Uncontrolled Resource Consumption

CWE-789: Memory Allocation with Excessive Size Value

Product status

< 3.5.3
affected

>= 3.6.0, < 3.11.3
affected

References

github.com/...etheus/security/advisories/GHSA-8rm2-7qqf-34qm

github.com/prometheus/prometheus/pull/18584

github.com/prometheus/prometheus/pull/18585

github.com/prometheus/prometheus/releases/tag/v3.11.3

github.com/prometheus/prometheus/releases/tag/v3.5.3

cve.org (CVE-2026-42154)

nvd.nist.gov (CVE-2026-42154)

Download JSON