CVE-2026-42154

HIGH 7.5

Prometheus: remote read endpoint allows denial of service via crafted snappy payload

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.

CWE	CWE-400 CWE-789
Vendor	prometheus
Product	prometheus
Ecosystems	Monitoring
Industries	Technology
Published	May 4, 2026
Last Updated	May 4, 2026

Stay Ahead of the Next One

Get instant alerts for prometheus prometheus

Be the first to know when new high vulnerabilities affecting prometheus prometheus are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

prometheus / prometheus

< 3.5.3 >= 3.6.0, < 3.11.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm github.com: https://github.com/prometheus/prometheus/pull/18584 github.com: https://github.com/prometheus/prometheus/pull/18585 github.com: https://github.com/prometheus/prometheus/releases/tag/v3.11.3 github.com: https://github.com/prometheus/prometheus/releases/tag/v3.5.3