CVE-2026-42154: CVE-2026-42154: Unauthenticated Denial of Service via Snappy Bomb in Prometheus R…

1 / 2

CVE-2026-42154: CVE-2026-42154: Unauthenticated Denial of Service via Snappy Bomb in Prometheus Remote Read Endpoint

DEV Community·CVE Reports·27 days ago

#JrDXopwP

#exploit #security #cve #cybersecurity #prometheus #memory

Reading 0:00

15s threshold

CVE-2026-42154: Unauthenticated Denial of Service via Snappy Bomb in Prometheus Remote Read Endpoint Vulnerability ID: CVE-2026-42154 CVSS Score: 7.5 Published: 2026-05-05 Prometheus versions prior to 3.5.3 and 3.6.0 through 3.11.2 are vulnerable to a Denial of Service (DoS) attack. The /api/v1/read endpoint improperly handles compressed request bodies, allowing an unauthenticated attacker to exhaust server memory using a crafted Snappy payload. This memory exhaustion causes the underlying process to terminate, rendering the monitoring infrastructure completely unavailable. TL;DR An unauthenticated remote attacker can crash the Prometheus server by sending a minimal, crafted Snappy payload to the remote read endpoint, triggering excessive memory allocation and an immediate Out-of-Memory (OOM) condition.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

CVE-2026-42154: CVE-2026-42154: Unauthenticated Denial of Service via Snappy Bomb in Prometheus Remote Read Endpoint