CVE-2026-42154

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Prometheus versions prior to 3.5.3 Prometheus versions prior to 3.11.3

Description Prometheus is an open-source monitoring system and time series database. The remote read endpoint "/api/v1/read" fails to validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload to trigger a large heap allocation per request, which can exhaust available memory and crash the process under concurrent load.

Recommendations Update to version 3.5.3. Update to version 3.11.3.

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-789CWE-400

Related Identifiers

BIT-PROMETHEUS-2026-42154

CLEANSTART-2026-AP95632

CLEANSTART-2026-AX33738

CLEANSTART-2026-MV81821

CLEANSTART-2026-PM88731

CLEANSTART-2026-QS87161

CLEANSTART-2026-TL66481

CVE-2026-42154

GHSA-8RM2-7QQF-34QM

OPENSUSE-SU-2026:10676-1

Affected Products

Prometheus

CVE-2026-42154

Weakness Enumeration

Related Identifiers

Affected Products

References · 146