Description
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.
Published: 2026-05-04
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability in Prometheus' remote read endpoint handles SNAPPY-compressed payloads without verifying the decoded length prior to allocating memory. An attacker can exploit this by sending a small, carefully crafted payload that forces the server to allocate an enormous amount of heap space. The resulting memory exhaustion can cause the Prometheus process to crash, leading to denial of service. The weakness is a classic case of resource exhaustion and improper input validation (CWE-400, CWE-770, CWE-789).

Affected Systems

The issue affects all instances of Prometheus running versions older than 3.5.3 and 3.11.3. The vendor recommends updating to either 3.5.3 or 3.11.3 where the check has been added and the allocation guard is in place.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity for availability impact. The EPSS score is 0.0002, indicating a very low projected probability of exploitation (<1%). The vulnerability requires only unauthenticated network access to the /api/v1/read endpoint, which is commonly exposed. The attack can be launched remotely by an adversary capable of sending HTTP requests, and under concurrent load it can exhaust system memory quickly. As the vulnerability is not listed in CISA's KEV catalog, there is currently no widespread evidence of exploitation, but the potential for disruption remains high.

Generated by OpenCVE AI on May 26, 2026 at 13:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Prometheus to version 3.5.3 or 3.11.3, which includes the input length validation in the remote read endpoint.
  • If upgrade is not immediately feasible, restrict access to the /api/v1/read endpoint by firewall rules or API gateway so that only trusted internal hosts can reach it.
  • Enable monitoring for memory usage spikes and set alerts for unexpected heap growth to detect potential exploitation attempts early.

Generated by OpenCVE AI on May 26, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8rm2-7qqf-34qm Prometheus: Remote read endpoint allows denial of service via crafted snappy payload
History

Tue, 26 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:prometheus:prometheus:*:*:*:*:*:*:*:*

Mon, 04 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Prometheus
Prometheus prometheus
Vendors & Products Prometheus
Prometheus prometheus

Mon, 04 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.
Title Prometheus: remote read endpoint allows denial of service via crafted snappy payload
Weaknesses CWE-400
CWE-789
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Prometheus Prometheus
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-04T20:19:13.876Z

Reserved: 2026-04-24T17:15:21.835Z

Link: CVE-2026-42154

cve-icon Vulnrichment

Updated: 2026-05-04T20:18:51.965Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-04T19:16:04.397

Modified: 2026-05-11T17:22:42.860

Link: CVE-2026-42154

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-04T18:13:12Z

Links: CVE-2026-42154 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T14:00:06Z

Weaknesses