CVE-2026-42154

About vulnerability

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.

Affected product:

Grafana , Loki , MinIO , google/go-cloud , grafana/e2e , grafana/grafana/pkg/promlib , grafana/grafana/pkg/storage/unified/apistore , grafana/grafana/pkg/storage/unified/resource , grafana/tempo , m3dbx/prometheus_remote_client_golang , prometheus/prom2json , prometheus/prometheus

Affected packages:

github.com/minio/console @ 1.7.7-0.20250905210349-2017f33b26e1 (+32 more)

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.