cbcvebase.
CVE-2026-42154
published 2026-05-04

CVE-2026-42154: Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not…

PriorityP347high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.73%
49.7th percentile
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.

Affected

5 ranges
VendorProductVersion rangeFixed in
github.comprometheus_prometheus>= 0 < 0.311.30.311.3
prometheusprometheus< 3.5.33.5.3
prometheusprometheus
prometheusprometheus>= 3.6.0 < 3.11.33.11.3
rust-langrust

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.