CVE-2026-21728

HIGH

Tempo query limit results in unbounded memory allocation

Title source: cna

Description

Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy. Mitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^18).

References (1)

[Vendor Advisory] https://grafana.com/security/security-advisories/cve-2026-21728

Scores

CVSS v3 7.5

EPSS 0.0001

EPSS Percentile 2.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

Status published

Products (1)

Grafana/Tempo v1.3.0 - v2.11.0

Published Apr 24, 2026

Tracked Since Apr 24, 2026