CVE-2026-42154: Prometheus: Remote read endpoint allows denial of service via crafted snappy payload
The remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory.
An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process.
References
- github.com/advisories/GHSA-8rm2-7qqf-34qm
- github.com/prometheus/prometheus/pull/18584
- github.com/prometheus/prometheus/pull/18585
- github.com/prometheus/prometheus/releases/tag/v3.11.3
- github.com/prometheus/prometheus/releases/tag/v3.5.3
- github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm
- nvd.nist.gov/vuln/detail/CVE-2026-42154
Code Behaviors & Features
Detect and mitigate CVE-2026-42154 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →