CVE-2026-42154: Prometheus: remote read endpoint allows denial of service via crafted snappy payload
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.
Security readout for executives and security teams
Plain-English summary
Prometheus can be crashed by a small crafted request to its remote read API. The request can trigger a very large memory allocation, causing the monitoring service to run out of memory under load. This is an availability risk, not a data theft issue, based on the supplied CVSS details.
Executive priority
Treat as a prompt availability fix for monitoring infrastructure. A crash in Prometheus can reduce visibility during incidents, even though the cited evidence does not indicate confidentiality or integrity impact.
Technical view
Before Prometheus 3.5.3 and 3.11.3, /api/v1/read fails to validate the declared decoded length of a snappy-compressed request before memory allocation. A network attacker with access to the endpoint can cause excessive heap allocation per request, potentially crashing the process. The issue maps to uncontrolled resource consumption and excessive allocation weaknesses.
Likely exposure
Exposure is likely where Prometheus versions below 3.5.3, or 3.6.0 through below 3.11.3, have /api/v1/read reachable from untrusted networks. Red Hat advisories indicate downstream package impact should also be checked for Red Hat-managed environments.
Exploitation context
The bundle states unauthenticated network exploitation is possible and CVSS rates attack complexity low. It does not cite known public exploitation, and KEV is false, so active exploitation should not be assumed from this evidence.
Researcher notes
Focus review on remote read exposure, snappy request length validation, and memory allocation behavior. The supplied sources identify fixes in Prometheus 3.5.3 and 3.11.3, plus Red Hat downstream advisories. Evidence is sufficient for remediation direction but not for claiming active exploitation.
Mitigation direction
Upgrade Prometheus to 3.5.3 or 3.11.3 as applicable.
Apply relevant Red Hat errata for Red Hat packaged deployments.
Restrict access to /api/v1/read to trusted clients only.
Check vendor guidance for any deployment-specific compensating controls.
Validation and detection
Inventory Prometheus versions across production and staging environments.
Confirm whether /api/v1/read is reachable from untrusted networks.
Review crash, restart, and out-of-memory events around Prometheus processes.
Verify patched versions or vendor-fixed packages after remediation.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-400: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-400 · source CWE mapping
Uncontrolled Resource Consumption
Uncontrolled Resource Consumption represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Allocation of Resources Without Limits or Throttling
Allocation of Resources Without Limits or Throttling represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Memory Allocation with Excessive Size Value represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.