Fedora Account System
Red Hat Associate
Red Hat Customer
Prometheus is an open-source monitoring system and time series database. Prior to versions 3.5.3 and 3.11.3, the remote read endpoint (/api/v1/read) does not validate the declared decoded length in a snappy-compressed request body before allocating memory. An unauthenticated attacker can send a small payload that causes a huge heap allocation per request. Under concurrent load this can exhaust available memory and crash the Prometheus process. This issue has been patched in versions 3.5.3 and 3.11.3.
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2026:34357 https://access.redhat.com/errata/RHSA-2026:34357
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2026:34359 https://access.redhat.com/errata/RHSA-2026:34359
This issue has been addressed in the following products: RHEM 1.0 for RHEL 9 Via RHSA-2026:36796 https://access.redhat.com/errata/RHSA-2026:36796
This issue has been addressed in the following products: RHEM 1.1 for RHEL 10 RHEM 1.1 for RHEL 9 Via RHSA-2026:41019 https://access.redhat.com/errata/RHSA-2026:41019