CVE-2026-42154: CVE-2026-42154: Unauthenticated Denial of Service via Snappy Bomb in Prometheus Remote Read Endpoint

CVE-2026-42154: Unauthenticated Denial of Service via Snappy Bomb in Prometheus Remote Read Endpoint

Vulnerability ID: CVE-2026-42154
CVSS Score: 7.5
Published: 2026-05-05

Prometheus versions prior to 3.5.3 and 3.6.0 through 3.11.2 are vulnerable to a Denial of Service (DoS) attack. The /api/v1/read endpoint improperly handles compressed request bodies, allowing an unauthenticated attacker to exhaust server memory using a crafted Snappy payload. This memory exhaustion causes the underlying process to terminate, rendering the monitoring infrastructure completely unavailable.

TL;DR

An unauthenticated remote attacker can crash the Prometheus server by sending a minimal, crafted Snappy payload to the remote read endpoint, triggering excessive memory allocation and an immediate Out-of-Memory (OOM) condition.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-400, CWE-789
• Attack Vector: Network
• CVSS v3.1 Score: 7.5 (High)
• Impact: Denial of Service (Memory Exhaustion / OOM)
• Exploit Status: Proof of Concept (PoC) available
• Authentication: None required

Affected Systems

• Prometheus Core Server
• Prometheus Remote Read API
• Prometheus: < 3.5.3 (Fixed in: 3.5.3)
• Prometheus: >= 3.6.0, < 3.11.3 (Fixed in: 3.11.3)

Exploit Details

• Official Prometheus Test Suite: Proof of Concept logic added as a regression test in the fix PR.

Mitigation Strategies

• Upgrade to patched Prometheus versions 3.5.3 or 3.11.3
• Restrict network access to the remote read endpoint via firewall or reverse proxy
• Implement WAF rules to block malicious payloads targeting /api/v1/read
• Enforce memory limits via cgroups or Kubernetes limits

Remediation Steps:

1. Identify all deployed Prometheus instances within the infrastructure.
2. Verify the current version of each instance to determine vulnerability status.
3. Download the patched binaries (v3.5.3 or v3.11.3) from the official Prometheus release repository.
4. Deploy the updated binaries and restart the Prometheus service.
5. Validate that the service operates normally and that legitimate remote read functionality is restored.

References

• GitHub Security Advisory GHSA-8rm2-7qqf-34qm
• Prometheus Pull Request #18584
• Prometheus Pull Request #18585
• NVD CVE-2026-42154
• CWE-400: Uncontrolled Resource Consumption
• CWE-789: Memory Allocation with Excessive Size Value
• MITRE ATT&CK T1499: Endpoint Denial of Service

---

Read the full report for CVE-2026-42154 on our website for more details including interactive diagrams and full exploit analysis.