{"uuid": "19ebc68c-fda2-4d8f-ab09-3c8f9ca93029", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42154", "type": "seen", "source": "https://gist.github.com/alon710/a8e4ac23aec9e5a4ede7f32cda789bc3", "content": "# CVE-2026-42154: CVE-2026-42154: Unauthenticated Denial of Service via Snappy Bomb in Prometheus Remote Read Endpoint\n\n> **CVSS Score:** 7.5\n> **Published:** 2026-05-05\n> **Full Report:** https://cvereports.com/reports/CVE-2026-42154\n\n## Summary\nPrometheus versions prior to 3.5.3 and 3.6.0 through 3.11.2 are vulnerable to a Denial of Service (DoS) attack. The `/api/v1/read` endpoint improperly handles compressed request bodies, allowing an unauthenticated attacker to exhaust server memory using a crafted Snappy payload. This memory exhaustion causes the underlying process to terminate, rendering the monitoring infrastructure completely unavailable.\n\n## TL;DR\nAn unauthenticated remote attacker can crash the Prometheus server by sending a minimal, crafted Snappy payload to the remote read endpoint, triggering excessive memory allocation and an immediate Out-of-Memory (OOM) condition.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-400, CWE-789\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 7.5 (High)\n- **Impact**: Denial of Service (Memory Exhaustion / OOM)\n- **Exploit Status**: Proof of Concept (PoC) available\n- **Authentication**: None required\n\n## Affected Systems\n\n- Prometheus Core Server\n- Prometheus Remote Read API\n- **Prometheus**: < 3.5.3 (Fixed in: `3.5.3`)\n- **Prometheus**: >= 3.6.0, < 3.11.3 (Fixed in: `3.11.3`)\n\n## Mitigation\n\n- Upgrade to patched Prometheus versions 3.5.3 or 3.11.3\n- Restrict network access to the remote read endpoint via firewall or reverse proxy\n- Implement WAF rules to block malicious payloads targeting /api/v1/read\n- Enforce memory limits via cgroups or Kubernetes limits\n\n**Remediation Steps:**\n1. Identify all deployed Prometheus instances within the infrastructure.\n2. Verify the current version of each instance to determine vulnerability status.\n3. Download the patched binaries (v3.5.3 or v3.11.3) from the official Prometheus release repository.\n4. Deploy the updated binaries and restart the Prometheus service.\n5. Validate that the service operates normally and that legitimate remote read functionality is restored.\n\n## References\n\n- [GitHub Security Advisory GHSA-8rm2-7qqf-34qm](https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm)\n- [Prometheus Pull Request #18584](https://github.com/prometheus/prometheus/pull/18584)\n- [Prometheus Pull Request #18585](https://github.com/prometheus/prometheus/pull/18585)\n- [NVD CVE-2026-42154](https://nvd.nist.gov/vuln/detail/CVE-2026-42154)\n- [CWE-400: Uncontrolled Resource Consumption](https://cwe.mitre.org/data/definitions/400.html)\n- [CWE-789: Memory Allocation with Excessive Size Value](https://cwe.mitre.org/data/definitions/789.html)\n- [MITRE ATT&CK T1499: Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499/)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-42154) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-05T20:10:29.000000Z"}