DEBIAN-CVE-2026-42154
- Source
- https://security-tracker.debian.org/tracker/CVE-2026-42154
- Import Source
- https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-42154.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-42154
- Upstream
- Published
- 2026-05-04T19:16:04.397Z
- Modified
- 2026-05-06T08:00:56.870224Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.
- References
Affected packages
Debian:11 / prometheus
Package
- Name
- prometheus
- Purl
- pkg:deb/debian/prometheus?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
2.*
2.24.1+ds-1
2.31.1+ds1-1
2.31.1+ds2-1
2.31.1+ds2-2
2.31.2+ds1-1
2.33.5+ds1-1
2.33.5+ds1-2~bpo11+1
2.33.5+ds1-2
2.33.5+ds1-3
2.33.5+ds1-4
2.34.0+ds1-1
2.35.0+ds1-1
2.36.2+ds1-1
2.37.1+ds1-1
2.38.0+ds1-1
2.39.1+ds1-1
2.39.1+ds1-2
2.40.0+ds-1
2.40.1+ds-1
2.40.2+ds-1
2.40.2+ds-2
2.40.2+ds-3
2.40.3+ds-1
2.40.4+ds-1
2.40.4+ds-1+0.riscv64.1
2.40.4+ds-2
2.40.5+ds-1
2.40.5+ds-2
2.40.5+ds-3
2.40.7+ds-1
2.41.0+ds-1
2.41.0+ds-2
2.42.0+ds-1
2.42.0+ds-2
2.42.0+ds-3
2.42.0+ds-4
2.42.0+ds-5
2.42.0+ds-6
2.43.1+ds-1
2.44.0+ds-1
2.45.0+ds-1
2.45.0+ds-2
2.45.0+ds-3
2.45.1+ds-1
2.45.1+ds-2
2.45.1+ds-3
2.45.3+ds-1
2.45.3+ds-2
2.45.3+ds-3
2.45.4+ds-1
2.45.4+ds-2
2.45.5+ds-1
2.45.6+ds-1
2.45.6+ds-2
2.45.6+ds-3
2.45.6+ds-4
2.45.6+ds-5
2.45.6+ds-6
2.45.6+ds-7
2.45.6+ds-8
2.45.6+ds-9
2.53.1+ds-1
2.53.1+ds-2
2.53.1+ds-3
2.53.3+ds1-1
2.53.3+ds1-2
2.53.4+ds1-1
2.53.5+ds1-1
2.53.5+ds1-2
2.53.5+ds1-3
2.53.5+ds1-4
Debian:12 / prometheus
Package
- Name
- prometheus
- Purl
- pkg:deb/debian/prometheus?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
2.*
2.42.0+ds-5
2.42.0+ds-6
2.43.1+ds-1
2.44.0+ds-1
2.45.0+ds-1
2.45.0+ds-2
2.45.0+ds-3
2.45.1+ds-1
2.45.1+ds-2
2.45.1+ds-3
2.45.3+ds-1
2.45.3+ds-2
2.45.3+ds-3
2.45.4+ds-1
2.45.4+ds-2
2.45.5+ds-1
2.45.6+ds-1
2.45.6+ds-2
2.45.6+ds-3
2.45.6+ds-4
2.45.6+ds-5
2.45.6+ds-6
2.45.6+ds-7
2.45.6+ds-8
2.45.6+ds-9
2.53.1+ds-1
2.53.1+ds-2
2.53.1+ds-3
2.53.3+ds1-1
2.53.3+ds1-2
2.53.4+ds1-1
2.53.5+ds1-1
2.53.5+ds1-2
2.53.5+ds1-3
2.53.5+ds1-4
Debian:13 / prometheus
Package
- Name
- prometheus
- Purl
- pkg:deb/debian/prometheus?arch=source
Debian:14 / prometheus
Package
- Name
- prometheus
- Purl
- pkg:deb/debian/prometheus?arch=source