Prometheus CVE-2026-42154: Unauthenticated Memory Exhaustion Vulnerability

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-400cwe-789
Prometheus CVE-2026-42154: Unauthenticated Memory Exhaustion Vulnerability

Prometheus, the widely used open-source monitoring system, is vulnerable to a high-severity memory exhaustion flaw, CVE-2026-42154. According to the National Vulnerability Database, unauthenticated attackers can exploit the /api/v1/read endpoint by sending a small, specially crafted snappy-compressed payload. This triggers a disproportionately large heap allocation, leading to memory exhaustion and a denial-of-service (DoS) condition by crashing the Prometheus process.

The vulnerability stems from insufficient validation of the declared decoded length in the snappy-compressed request body before memory allocation. This allows an attacker to dictate memory consumption, making it a critical issue for any organization running Prometheus. The National Vulnerability Database assigns this CVE a CVSS score of 7.5 (HIGH), emphasizing its severity and ease of exploitation given the unauthenticated nature and network-based attack vector.

Defenders must prioritize patching. The National Vulnerability Database confirms that this issue has been resolved in Prometheus versions 3.5.3 and 3.11.3. Any Prometheus instances running older versions are exposed and should be updated immediately to mitigate the risk of service disruption. This isn’t theoretical; unauthenticated DoS against critical monitoring infrastructure is a direct path to operational blindness and opens doors for other attacks.

What This Means For You

  • If your organization uses Prometheus, you need to check your version immediately. This unauthenticated memory exhaustion vulnerability (CVE-2026-42154) can crash your monitoring system, leaving you blind. Patch to versions 3.5.3 or 3.11.3 or higher without delay.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1499 Endpoint Denial of Service Impact

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-42154: Prometheus Unauthenticated Memory Exhaustion via /api/v1/read

Sigma YAML — free preview 
title: CVE-2026-42154: Prometheus Unauthenticated Memory Exhaustion via /api/v1/read
id: scw-2026-05-04-ai-1
status: experimental
level: high
description: |
  Detects requests to the Prometheus /api/v1/read endpoint using the POST method. This is the primary endpoint targeted by CVE-2026-42154 to trigger an unauthenticated memory exhaustion vulnerability by sending a crafted snappy-compressed request body with a declared decoded length that causes excessive heap allocation. This rule aims to identify the initial exploit attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-05-04
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42154/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri:
          - '/api/v1/read'
      cs-method:
          - 'POST'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42154 DoS Prometheus versions prior to 3.5.3
CVE-2026-42154 DoS Prometheus versions prior to 3.11.3
CVE-2026-42154 DoS Prometheus remote read endpoint /api/v1/read
CVE-2026-42154 DoS Snappy-compressed request body length validation bypass

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 04, 2026 at 22:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7768: Fastify Accepts-Serializer DoS Vulnerability

CVE-2026-7768 — @fastify/accepts-serializer cached serializer-selection results keyed by the request Accept header without a size limit or eviction policy. A remote unauthenticated client could send...

vulnerabilityCVEhigh-severitycwe-770
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-6321: fast-uri Path Normalization Bypass

CVE-2026-6321 — fast-uri decoded percent-encoded path separators and dot segments before applying dot-segment removal in its normalize() and equal() functions. Encoded path data was treated...

vulnerabilityCVEhigh-severitycwe-22
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 3 IOCs /⚙ 2 Sigma
Featured

Daily Security Digest — 2026-05-04

31 vulnerability disclosures (20 Critical, 11 High) and 12 curated intelligence stories from 6 sources.

daily-digestvulnerabilityCVEhigh-severitycommand-injectioncwe-94criticalout-of-bounds-1cwe-125privilege-escalation
/SCW Daily Digest /CRITICAL