2433226 – (CVE-2026-21720) CVE-2026-21720 grafana: Grafana: Denial of Service via resource exhaustion from avatar requests

Bug 2433226 (CVE-2026-21720) - CVE-2026-21720 grafana: Grafana: Denial of Service via resource exhaustion from avatar requests

Summary: CVE-2026-21720 grafana: Grafana: Denial of Service via resource exhaustion fr...

Keywords:
Status:	NEW
Alias:	CVE-2026-21720
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-27 10:01 UTC by OSIDB Bzimport
Modified:	2026-01-28 05:28 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-27 10:01:37 UTC

Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.

Note You need to log in before you can comment on or make changes to this bug.