CVE-2026-42154
Prometheus: remote read endpoint allows denial of service via crafted snappy payload
Description
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.
How to fix CVE-2026-42154
To remediate CVE-2026-42154, upgrade the affected package to a fixed version below.
- —upgrade to 3.5.3 or later
- —no fix listed
- —upgrade to 0.311.3 or later
Is CVE-2026-42154 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 3.5.3, >= 3.6.0, < 3.11.3
- from 0
- from 0, < 0.311.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |