CVE Vulnerabilities

CVE-2026-42154

Uncontrolled Resource Consumption

Published: May 04, 2026 | Modified: Jul 14, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
7.5 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.

Weakness

The product does not properly control the allocation and maintenance of a limited resource.

Affected Software

NameVendorStart VersionEnd Version
PrometheusPrometheus*3.5.3 (excluding)
PrometheusPrometheus3.6.0 (including)3.11.3 (excluding)
Red Hat Enterprise Linux 10RedHatopentelemetry-collector-0:0.152.1-1.el10_2*
Red Hat Enterprise Linux 9RedHatopentelemetry-collector-0:0.152.1-1.el9_8*
RHEM 1.0 for RHEL 9RedHatflightctl-0:1.0.3-1.el9em*
Logging Subsystem for Red Hat OpenShift 6.4RedHatopenshift-logging/logging-loki-rhel9:1782405469*
Red Hat Advanced Cluster Management for Kubernetes 2.13RedHatrhacm2/prometheus-rhel9:1782374537*
Red Hat Edge Manager 1.0RedHatrhem/flightctl-alert-exporter-rhel9:1783502022*
Red Hat Edge Manager 1.0RedHatrhem/flightctl-alertmanager-proxy-rhel9:1783502465*
Red Hat Edge Manager 1.0RedHatrhem/flightctl-api-rhel9:1783502025*
Red Hat Edge Manager 1.0RedHatrhem/flightctl-cli-artifacts-rhel9:1783502494*
Red Hat Edge Manager 1.0RedHatrhem/flightctl-db-setup-rhel9:1783502401*
Red Hat Edge Manager 1.0RedHatrhem/flightctl-pam-issuer-rhel9:1783502403*
Red Hat Edge Manager 1.0RedHatrhem/flightctl-periodic-rhel9:1783502022*
Red Hat Edge Manager 1.0RedHatrhem/flightctl-telemetry-gateway-rhel9:1783502023*
Red Hat Edge Manager 1.0RedHatrhem/flightctl-userinfo-proxy-rhel9:1783502029*
Red Hat Edge Manager 1.0RedHatrhem/flightctl-worker-rhel9:1783502445*
Red Hat Hardened ImagesRedHatjaeger-main-2.19.0-1.hum1*
Red Hat Hardened ImagesRedHatopentelemetry-collector-main-0.153.0-1.hum1*
Red Hat Hardened ImagesRedHatopentelemetry-collector-contrib-main-0.155.0-0.1.hum1*
PrometheusUbuntuesm-apps/xenial*
PrometheusUbuntuquesting*

Potential Mitigations

  • Mitigation of resource exhaustion attacks requires that the target system either:

  • The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question.

  • The second solution is simply difficult to effectively institute – and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker.

References