Description
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.
Published: 2026-05-04
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability in Prometheus' remote read endpoint handles SNAPPY-compressed payloads without verifying the decoded length prior to allocating memory. An attacker can exploit this by sending a small, carefully crafted payload that forces the server to allocate an enormous amount of heap space. The resulting memory exhaustion can cause the Prometheus process to crash, leading to denial of service. The weakness is a classic case of resource exhaustion and improper input validation (CWE-400, CWE-789).

Affected Systems

The issue affects all instances of Prometheus running versions older than 3.5.3 and 3.11.3. The vendor recommends updating to either 3.5.3 or 3.11.3 where the check has been added and the allocation guard is in place.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity for availability impact. With no EPSS data available, the exact likelihood of exploitation is uncertain, but the vulnerability requires only unauthenticated network access to the /api/v1/read endpoint, which is commonly exposed. The attack can be launched remotely by an adversary capable of sending HTTP requests, and under concurrent load it can exhaust system memory quickly. As the vulnerability is not listed in CISA's KEV catalog, there is currently no widespread evidence of exploitation, but the potential for disruption remains high.

Generated by OpenCVE AI on May 4, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Prometheus to version 3.5.3 or 3.11.3, which includes the input length validation in the remote read endpoint.
  • If upgrade is not immediately feasible, restrict access to the /api/v1/read endpoint by firewall rules or API gateway so that only trusted internal hosts can reach it.
  • Enable monitoring for memory usage spikes and set alerts for unexpected heap growth to detect potential exploitation attempts early.

Generated by OpenCVE AI on May 4, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Prometheus
Prometheus prometheus
Vendors & Products Prometheus
Prometheus prometheus

Mon, 04 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.
Title Prometheus: remote read endpoint allows denial of service via crafted snappy payload
Weaknesses CWE-400
CWE-789
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Prometheus Prometheus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-04T20:19:13.876Z

Reserved: 2026-04-24T17:15:21.835Z

Link: CVE-2026-42154

cve-icon Vulnrichment

Updated: 2026-05-04T20:18:51.965Z

cve-icon NVD

Status : Received

Published: 2026-05-04T19:16:04.397

Modified: 2026-05-04T19:16:04.397

Link: CVE-2026-42154

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T20:30:08Z

Weaknesses