CVE-2026-42154

HIGH

Prometheus: remote read endpoint allows denial of service via crafted snappy payload

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-42154. PoCs published by ShadowByte1.

AI-analyzed exploit summary The repository contains only a minimal README with the CVE identifier and a brief description, lacking any functional exploit code or technical details.

Description

Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.

Exploits (1)

nomisec STUB
by ShadowByte1 · poc
https://github.com/ShadowByte1/CVE-2026-42154

The repository contains only a minimal README with the CVE identifier and a brief description, lacking any functional exploit code or technical details.

Classification
Stub 90%
Attack Type
Dos
Complexity
Theoretical
Reliability
Theoretical
Target: Prometheus
No auth needed
Prerequisites: none specified
devstral-2 · analyzed May 15, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 7.5
EPSS 0.0002
EPSS Percentile 6.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-400 CWE-789
Status published
Products (5)
prometheus/prometheus < 3.5.3 (2 CPE variants)
prometheus/prometheus 0 - 0.305.2Go
prometheus/prometheus 0.306.0 - 0.311.3Go
prometheus/prometheus 1.0.0-rc.0 - 2.5.0Go
prometheus/prometheus >= 3.6.0, < 3.11.3
Published May 04, 2026
Tracked Since May 05, 2026