{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/snappy/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-42154"}],"_cs_exploited":false,"_cs_products":["go/github.com/prometheus/prometheus (\u003c 0.311.3)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","prometheus","snappy"],"_cs_type":"advisory","_cs_vendors":["Prometheus"],"content_html":"\u003cp\u003eThe Prometheus monitoring system is susceptible to a denial-of-service (DoS) vulnerability affecting the \u003ccode\u003e/api/v1/read\u003c/code\u003e endpoint. This flaw, identified as CVE-2026-42154, stems from the lack of validation of the declared decoded length within snappy-compressed request bodies. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted, small payload. This payload triggers a massive heap allocation for each request, rapidly consuming available memory resources. Under concurrent load, this leads to memory exhaustion and subsequent crashing of the Prometheus process. The vulnerability impacts Prometheus versions prior to 3.11.3 and 3.5.3 LTS.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Prometheus instance exposing the \u003ccode\u003e/api/v1/read\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a small HTTP POST request containing a snappy-compressed body.\u003c/li\u003e\n\u003cli\u003eThe crafted payload declares an extremely large decoded length within the snappy header.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious HTTP POST request to the \u003ccode\u003e/api/v1/read\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe Prometheus server receives the request and attempts to decompress the snappy data.\u003c/li\u003e\n\u003cli\u003eDue to the missing validation, the server allocates a large chunk of memory based on the declared (but invalid) decoded length.\u003c/li\u003e\n\u003cli\u003eThe attacker sends numerous concurrent requests, each triggering a large memory allocation.\u003c/li\u003e\n\u003cli\u003eThe Prometheus server\u0026rsquo;s memory is rapidly exhausted, leading to a crash and denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial-of-service condition, rendering the Prometheus monitoring system unavailable. This can disrupt monitoring capabilities, leading to delayed detection of critical system issues and potentially impacting incident response. The vulnerability is unauthenticated, increasing the risk of exploitation. The number of victims depends on the exposure of vulnerable Prometheus instances; any instance accessible over the network is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Prometheus instances to version 3.11.3 or 3.5.3 LTS or later to remediate CVE-2026-42154.\u003c/li\u003e\n\u003cli\u003eFor users unable to upgrade immediately, implement a reverse proxy or firewall to require authentication before requests reach the \u003ccode\u003e/api/v1/read\u003c/code\u003e endpoint as a temporary workaround.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious Prometheus Snappy Request Size\u0026rdquo; to identify potential exploitation attempts targeting the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusually large POST requests to the \u003ccode\u003e/api/v1/read\u003c/code\u003e endpoint, potentially indicating exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-05T19:34:58Z","date_published":"2026-05-05T19:34:58Z","id":"/briefs/2026-05-prometheus-dos/","summary":"The Prometheus remote read endpoint is vulnerable to denial of service due to a missing validation of the declared decoded length in snappy-compressed request bodies, allowing unauthenticated attackers to exhaust memory resources.","title":"Prometheus Remote Read Endpoint Denial-of-Service Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-prometheus-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Snappy","version":"https://jsonfeed.org/version/1.1"}