CVE-2026-21728
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy.
Mitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^18).
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Grafana | Tempo | v1.3.0 < v2.11.0 | affected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
grafana/tempo: Tempo: Denial of Service via large queries
Additional References
- https://access.redhat.com/security/cve/CVE-2026-21728
- https://bugzilla.redhat.com/show_bug.cgi?id=2461395
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21728.json
- https://access.redhat.com/errata/RHSA-2026:22423
- https://access.redhat.com/errata/RHSA-2026:22347
- https://access.redhat.com/errata/RHSA-2026:21769
- https://access.redhat.com/errata/RHSA-2026:23345
- https://access.redhat.com/errata/RHSA-2026:24503
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.