{"id":"GO-2026-5264","summary":"Prometheus: Remote read endpoint allows denial of service via crafted snappy payload in github.com/prometheus/prometheus","details":"Prometheus: Remote read endpoint allows denial of service via crafted snappy payload in github.com/prometheus/prometheus","aliases":["BIT-prometheus-2026-42154","CVE-2026-42154","GHSA-8rm2-7qqf-34qm"],"modified":"2026-06-25T19:56:12.114245941Z","published":"2026-06-25T18:43:15Z","database_specific":{"review_status":"UNREVIEWED","url":"https://pkg.go.dev/vuln/GO-2026-5264"},"references":[{"type":"ADVISORY","url":"https://github.com/prometheus/prometheus/security/advisories/GHSA-8rm2-7qqf-34qm"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42154"},{"type":"FIX","url":"https://github.com/prometheus/prometheus/pull/18584"},{"type":"FIX","url":"https://github.com/prometheus/prometheus/pull/18585"},{"type":"WEB","url":"https://github.com/prometheus/prometheus/releases/tag/v3.11.3"},{"type":"WEB","url":"https://github.com/prometheus/prometheus/releases/tag/v3.5.3"}],"affected":[{"package":{"name":"github.com/prometheus/prometheus","ecosystem":"Go","purl":"pkg:golang/github.com/prometheus/prometheus"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.305.2"},{"introduced":"0.306.0"},{"fixed":"0.311.3"},{"introduced":"1.0.0-rc.0"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-5264.json"}},{"package":{"name":"github.com/prometheus/prometheus/v2","ecosystem":"Go","purl":"pkg:golang/github.com/prometheus/prometheus/v2"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"}]}],"ecosystem_specific":{},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2026-5264.json"}}],"schema_version":"1.7.5"}