cbcvebase.
CVE-2026-21720
published 2026-01-27

CVE-2026-21720: Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three…

PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.62%
45.1th percentile
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.

Affected

15 ranges
VendorProductVersion rangeFixed in
grafanagrafana
grafanagrafana>= 12.0.0 < 12.0.812.0.8
grafanagrafana>= 12.1.0 < 12.1.512.1.5
grafanagrafana>= 12.2.0 < 12.2.312.2.3
grafanagrafana>= 3.0.0 < 11.6.911.6.9
grafanagrafana_grafana>= 3.0.0 < 11.6.911.6.9
grafanagrafana_grafana>= 3.0.0 < 12.0.812.0.8
grafanagrafana_grafana>= 3.0.0 < 12.1.512.1.5
grafanagrafana_grafana>= 3.0.0 < 12.2.312.2.3
grafanagrafana_grafana>= 3.0.0 < 12.3.112.3.1
grafanagrafana_grafana-enterprise>= 3.0.0 < 11.6.911.6.9
grafanagrafana_grafana-enterprise>= 3.0.0 < 12.0.812.0.8
grafanagrafana_grafana-enterprise>= 3.0.0 < 12.1.512.1.5
grafanagrafana_grafana-enterprise>= 3.0.0 < 12.2.312.2.3
grafanagrafana_grafana-enterprise>= 3.0.0 < 12.3.112.3.1

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.