Cyber Resilience

CVE-2026-42154

HighDDoS

Published: 04 May 2026

Published
04 May 2026
Modified
11 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 6.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42154 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Prometheus Prometheus. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-42154 is a memory allocation vulnerability in Prometheus, an open-source monitoring system and time series database. In versions prior to 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) fails to validate the declared decoded length of a snappy-compressed request body before allocating heap memory. This flaw, linked to CWE-400 (Uncontrolled Resource Consumption) and CWE-789 (Memory Allocation with Excessive Size Value), carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

An unauthenticated remote attacker can exploit this vulnerability by sending a small, specially crafted snappy-compressed payload to the /api/v1/read endpoint. The invalid declared decoded length triggers a disproportionately large heap allocation per request. Under concurrent requests, this leads to rapid memory exhaustion, causing the Prometheus process to crash and potentially disrupting monitoring services.

Prometheus has addressed this issue in versions 3.5.3 and 3.11.3, with patches detailed in GitHub pull requests #18584 and #18585, release notes for those tags, and security advisory GHSA-8rm2-7qqf-34qm. Security practitioners should upgrade affected Prometheus instances to these patched versions and consider network restrictions on the remote read endpoint if immediate patching is not feasible.

EU & UK References

Vulnerability details

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can…

more

send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated exploitation of memory allocation flaw in Prometheus /api/v1/read endpoint directly enables application/system exploitation leading to DoS via heap exhaustion and crash.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42151Same product: Prometheus Prometheus
CVE-2026-21452Shared CWE-400, CWE-789
CVE-2026-20048Shared CWE-789
CVE-2024-56921Shared CWE-400
CVE-2026-21945Shared CWE-400
CVE-2024-33618Shared CWE-400
CVE-2025-9278Shared CWE-400
CVE-2026-41135Shared CWE-400
CVE-2026-20650Shared CWE-400
CVE-2025-71031Shared CWE-400

Affected Assets

prometheus
prometheus
≤ 3.5.3 · 3.6.0 — 3.11.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the memory allocation vulnerability by requiring timely application of vendor patches such as those in Prometheus versions 3.5.3 and 3.11.3.

prevent

Requires validation of information inputs like the declared decoded length in snappy-compressed requests to prevent excessive heap allocations from crafted payloads.

prevent

Protects against denial-of-service attacks by limiting the effects of concurrent requests causing memory exhaustion in the remote read endpoint.

References