CVE-2026-42154
published 2026-05-04CVE-2026-42154: Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not…
PriorityP347high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.73%
49.7th percentile
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | prometheus_prometheus | >= 0 < 0.311.3 | 0.311.3 |
| prometheus | prometheus | < 3.5.3 | 3.5.3 |
| prometheus | prometheus | — | — |
| prometheus | prometheus | >= 3.6.0 < 3.11.3 | 3.11.3 |
| rust-lang | rust | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Prometheus: Remote read endpoint allows denial of service via crafted snappy payload
ghsa·2026-05-05
CVE-2026-42154 [HIGH] CWE-400 Prometheus: Remote read endpoint allows denial of service via crafted snappy payload
Prometheus: Remote read endpoint allows denial of service via crafted snappy payload
### Impact
The remote read endpoint (`/api/v1/read`) does not validate the declared decoded length in a snappy-compressed request body before allocating memory.
An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process.
### Patches
_Has the problem been patched? What versions should users upgrade to?_
Fixed in 3.11.3 and 3.5.3 LTS. Users should upgrade to these versions or later.
### Workarounds
User who can not upgrade can place Prometheus behind a reverse proxy or firewall that requires authentication before requests reach /api/v1/read.
VulDB
Prometheus up to 3.5.2/3.11.2 Remote Read Endpoint /api/v1/read resource consumption (GHSA-8rm2-7qqf-34qm)
vuldb·2026-05-04·CVSS 7.5
CVE-2026-42154 [HIGH] Prometheus up to 3.5.2/3.11.2 Remote Read Endpoint /api/v1/read resource consumption (GHSA-8rm2-7qqf-34qm)
A vulnerability labeled as problematic has been found in Prometheus up to 3.5.2/3.11.2. Impacted is an unknown function of the file /api/v1/read of the component Remote Read Endpoint. The manipulation results in resource consumption.
This vulnerability is cataloged as CVE-2026-42154. The attack may be launched remotely. There is no exploit available.
The affected component should be upgraded.
Red Hat
github.com/prometheus/prometheus: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint
vendor_redhat·2026-05-04·CVSS 7.5
CVE-2026-42154 [HIGH] CWE-770 github.com/prometheus/prometheus: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint
github.com/prometheus/prometheus: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint
A flaw was found in Prometheus. An unauthenticated attacker can exploit the remote read endpoint (`/api/v1/read`) by sending a specially crafted, small snappy-compressed payload. This payload causes a disproportionately large memory allocation, leading to memory exhaustion and a Denial of Service (DoS) by crashing the Prometheus process.
Package: rust (Red Hat Hardened Images) - Not affected
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-42154 netdata: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint [epel-all]
bugzilla·2026-06-15·CVSS 7.5
CVE-2026-42154 [HIGH] CVE-2026-42154 netdata: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint [epel-all]
CVE-2026-42154 netdata: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42154 golang-github-prometheus-prom2json: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint [fedora-all]
bugzilla·2026-06-15·CVSS 7.5
CVE-2026-42154 [HIGH] CVE-2026-42154 golang-github-prometheus-prom2json: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint [fedora-all]
CVE-2026-42154 golang-github-prometheus-prom2json: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42154 tailscale: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint [fedora-all]
bugzilla·2026-06-15·CVSS 7.5
CVE-2026-42154 [HIGH] CVE-2026-42154 tailscale: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint [fedora-all]
CVE-2026-42154 tailscale: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42154 grafana: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint [fedora-all]
bugzilla·2026-06-15·CVSS 7.5
CVE-2026-42154 [HIGH] CVE-2026-42154 grafana: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint [fedora-all]
CVE-2026-42154 grafana: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42154 prometheus: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint [epel-all]
bugzilla·2026-05-25·CVSS 7.5
CVE-2026-42154 [HIGH] CVE-2026-42154 prometheus: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint [epel-all]
CVE-2026-42154 prometheus: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42154 golang-github-prometheus: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint [fedora-all]
bugzilla·2026-05-25·CVSS 7.5
CVE-2026-42154 [HIGH] CVE-2026-42154 golang-github-prometheus: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint [fedora-all]
CVE-2026-42154 golang-github-prometheus: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42154 prometheus: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint [fedora-all]
bugzilla·2026-05-25·CVSS 7.5
CVE-2026-42154 [HIGH] CVE-2026-42154 prometheus: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint [fedora-all]
CVE-2026-42154 prometheus: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42154 github.com/prometheus/prometheus: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint
bugzilla·2026-05-04·CVSS 7.5
CVE-2026-42154 [HIGH] CVE-2026-42154 github.com/prometheus/prometheus: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint
CVE-2026-42154 github.com/prometheus/prometheus: Prometheus: Denial of Service via uncontrolled memory allocation in remote read endpoint
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.
Rapid7
Patch Tuesday - May 2026
blogs_rapid7·2026-05-13·CVSS 10.0
CVE-2026-41089 [CRITICAL] Patch Tuesday - May 2026
Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.
## Windows Netlogon: critical RCE
Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089 , which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges
https://github.com/prometheus/prometheus/pull/18584https://github.com/prometheus/prometheus/pull/18585https://github.com/prometheus/prometheus/releases/tag/v3.11.3https://github.com/prometheus/prometheus/releases/tag/v3.5.3https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qmhttps://access.redhat.com/errata/RHSA-2026:25039https://access.redhat.com/errata/RHSA-2026:25245https://access.redhat.com/errata/RHSA-2026:29770https://access.redhat.com/errata/RHSA-2026:30651https://access.redhat.com/security/cve/CVE-2026-42154https://bugzilla.redhat.com/show_bug.cgi?id=2466505https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42154.json
2026-05-04
Published