CVE-2026-21720 (GCVE-0-2026-21720)

Vulnerability from cvelistv5 – Published: 2026-01-27 09:07 – Updated: 2026-07-07 21:08
VLAI
Title
Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out
Summary
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-400 - Uncontrolled Resource Consumption
  • CWE-703 - Improper Check or Handling of Exceptional Conditions
  • CWE-772 - Missing Release of Resource after Effective Lifetime
Assigner
Impacted products
Vendor Product Version
Grafana grafana/grafana-enterprise Affected: 3.0.0 , < 11.6.9 (semver)
Create a notification for this product.
Grafana grafana/grafana-enterprise Affected: 3.0.0 , < 12.0.8 (semver)
Create a notification for this product.
Grafana grafana/grafana-enterprise Affected: 3.0.0 , < 12.1.5 (semver)
Create a notification for this product.
Grafana grafana/grafana Affected: 3.0.0 , < 11.6.9 (semver)
Create a notification for this product.
Grafana grafana/grafana Affected: 3.0.0 , < 12.0.8 (semver)
Create a notification for this product.
Grafana grafana/grafana Affected: 3.0.0 , < 12.1.5 (semver)
Create a notification for this product.
Grafana grafana/grafana-enterprise Affected: 3.0.0 , < 12.2.3 (semver)
Create a notification for this product.
Grafana grafana/grafana Affected: 3.0.0 , < 12.2.3 (semver)
Create a notification for this product.
Grafana grafana/grafana-enterprise Affected: 3.0.0 , < 12.3.1 (semver)
Create a notification for this product.
Grafana grafana/grafana Affected: 3.0.0 , < 12.3.1 (semver)
Create a notification for this product.
Red Hat Red Hat Ceph Storage 7     cpe:/a:redhat:ceph_storage:7
Create a notification for this product.
Red Hat Red Hat Ceph Storage 8     cpe:/a:redhat:ceph_storage:8
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 10     cpe:/o:redhat:enterprise_linux:10
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 8     cpe:/o:redhat:enterprise_linux:8
Create a notification for this product.
Red Hat Red Hat Enterprise Linux 9     cpe:/o:redhat:enterprise_linux:9
Create a notification for this product.
Date Public
2026-01-27 09:03
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-21720",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-27T14:28:02.795937Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-400",
                "description": "CWE-400 Uncontrolled Resource Consumption",
                "lang": "en",
                "type": "CWE"
              }
            ]
          },
          {
            "descriptions": [
              {
                "cweId": "CWE-703",
                "description": "CWE-703 Improper Check or Handling of Exceptional Conditions",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-27T14:29:08.671Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:/a:redhat:ceph_storage:7"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Ceph Storage 7",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/a:redhat:ceph_storage:8"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Ceph Storage 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:10"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Enterprise Linux 10",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:8"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Enterprise Linux 8",
            "vendor": "Red Hat"
          },
          {
            "cpes": [
              "cpe:/o:redhat:enterprise_linux:9"
            ],
            "defaultStatus": "unaffected",
            "product": "Red Hat Enterprise Linux 9",
            "vendor": "Red Hat"
          }
        ],
        "datePublic": "2026-01-27T09:07:04.758Z",
        "descriptions": [
          {
            "lang": "en",
            "value": "A flaw was found in Grafana. A remote attacker can exploit this vulnerability by sending a sustained volume of uncached /avatar/:hash requests. This action causes the system to create and block goroutines, which are lightweight concurrent functions, leading to a continuous increase in memory usage. Over time, this resource exhaustion can cause Grafana to crash, resulting in a Denial of Service (DoS)."
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "namespace": "https://access.redhat.com/security/updates/classification/",
                "value": "Important"
              },
              "type": "Red Hat severity rating"
            }
          },
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            },
            "format": "CVSS"
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-772",
                "description": "Missing Release of Resource after Effective Lifetime",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T12:06:49.515Z",
          "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
          "shortName": "redhat-SADP"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_refsource_REDHAT"
            ],
            "url": "https://access.redhat.com/security/cve/CVE-2026-21720"
          },
          {
            "name": "RHBZ#2433226",
            "tags": [
              "issue-tracking",
              "x_refsource_REDHAT"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433226"
          },
          {
            "tags": [
              "x_sadp-csaf-vex"
            ],
            "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21720.json"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-01-27T10:01:10.677Z",
            "value": "Reported to Red Hat."
          },
          {
            "lang": "en",
            "time": "2026-01-27T09:07:04.758Z",
            "value": "Made public."
          }
        ],
        "title": "grafana: Grafana: Denial of Service via resource exhaustion from avatar requests",
        "x_adpType": "supplier",
        "x_generator": {
          "engine": "sadp-cli 1.0.0"
        }
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana-enterprise",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "11.6.9",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana-enterprise",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.0.8",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana-enterprise",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.1.5",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "11.6.9",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.0.8",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.1.5",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana-enterprise",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.2.3",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.2.3",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana-enterprise",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.3.1",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "grafana/grafana",
          "vendor": "Grafana",
          "versions": [
            {
              "lessThan": "12.3.1",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "datePublic": "2026-01-27T09:03:09.893Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "type": "text/markdown",
              "value": "Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems."
            }
          ],
          "value": "Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-07T21:08:00.521Z",
        "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "shortName": "GRAFANA"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://grafana.com/security/security-advisories/cve-2026-21720"
        }
      ],
      "source": {
        "discovery": "BUG_BOUNTY"
      },
      "title": "Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out",
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
    "assignerShortName": "GRAFANA",
    "cveId": "CVE-2026-21720",
    "datePublished": "2026-01-27T09:07:04.758Z",
    "dateReserved": "2026-01-05T09:26:06.214Z",
    "dateUpdated": "2026-07-07T21:08:00.521Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-21720",
      "date": "2026-07-09",
      "epss": "0.00618",
      "percentile": "0.45364"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-21720\",\"sourceIdentifier\":\"security@grafana.com\",\"published\":\"2026-01-27T09:15:48.490\",\"lastModified\":\"2026-06-30T03:17:24.267\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.\"},{\"lang\":\"es\",\"value\":\"Cada solicitud sin cach\u00e9 a /avatar/:hash lanza una goroutine que actualiza la imagen de Gravatar. Si la actualizaci\u00f3n permanece en la cola de trabajadores de 10 ranuras por m\u00e1s de tres segundos, el manejador agota el tiempo de espera y deja de escuchar el resultado, de modo que esa goroutine se bloquea para siempre intentando enviar en un canal sin b\u00fafer. El tr\u00e1fico sostenido con hashes aleatorios sigue activando este tiempo de espera, por lo que el recuento de goroutines crece linealmente, agotando la memoria con el tiempo y provocando que Grafana falle en algunos sistemas.\"}],\"affected\":[{\"source\":\"security@grafana.com\",\"affectedData\":[{\"vendor\":\"Grafana\",\"product\":\"grafana/grafana-enterprise\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"3.0.0\",\"lessThan\":\"11.6.9\",\"versionType\":\"semver\",\"status\":\"affected\"}]},{\"vendor\":\"Grafana\",\"product\":\"grafana/grafana-enterprise\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"3.0.0\",\"lessThan\":\"12.0.8\",\"versionType\":\"semver\",\"status\":\"affected\"}]},{\"vendor\":\"Grafana\",\"product\":\"grafana/grafana-enterprise\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"3.0.0\",\"lessThan\":\"12.1.5\",\"versionType\":\"semver\",\"status\":\"affected\"}]},{\"vendor\":\"Grafana\",\"product\":\"grafana/grafana\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"3.0.0\",\"lessThan\":\"11.6.9\",\"versionType\":\"semver\",\"status\":\"affected\"}]},{\"vendor\":\"Grafana\",\"product\":\"grafana/grafana\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"3.0.0\",\"lessThan\":\"12.0.8\",\"versionType\":\"semver\",\"status\":\"affected\"}]},{\"vendor\":\"Grafana\",\"product\":\"grafana/grafana\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"3.0.0\",\"lessThan\":\"12.1.5\",\"versionType\":\"semver\",\"status\":\"affected\"}]},{\"vendor\":\"Grafana\",\"product\":\"grafana/grafana-enterprise\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"3.0.0\",\"lessThan\":\"12.2.3\",\"versionType\":\"semver\",\"status\":\"affected\"}]},{\"vendor\":\"Grafana\",\"product\":\"grafana/grafana\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"3.0.0\",\"lessThan\":\"12.2.3\",\"versionType\":\"semver\",\"status\":\"affected\"}]},{\"vendor\":\"Grafana\",\"product\":\"grafana/grafana-enterprise\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"3.0.0\",\"lessThan\":\"12.3.1\",\"versionType\":\"semver\",\"status\":\"affected\"}]},{\"vendor\":\"Grafana\",\"product\":\"grafana/grafana\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"3.0.0\",\"lessThan\":\"12.3.1\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"affectedData\":[{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Ceph Storage 7\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:ceph_storage:7\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Ceph Storage 8\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/a:redhat:ceph_storage:8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 10\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:10\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 8\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:8\"]},{\"vendor\":\"Red Hat\",\"product\":\"Red Hat Enterprise Linux 9\",\"defaultStatus\":\"unaffected\",\"cpes\":[\"cpe:/o:redhat:enterprise_linux:9\"]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@grafana.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-01-27T14:28:02.795937Z\",\"id\":\"CVE-2026-21720\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"},{\"lang\":\"en\",\"value\":\"CWE-703\"}]},{\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-772\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"11.6.9\",\"matchCriteriaId\":\"215EC0E7-BF4E-460F-893F-3D5E56692D65\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"11.6.9\",\"matchCriteriaId\":\"4D528EF4-2414-4A32-BA0E-16FA15EE1D52\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*\",\"versionStartIncluding\":\"12.0.0\",\"versionEndExcluding\":\"12.0.8\",\"matchCriteriaId\":\"C3E78D4A-A206-4BD4-BBE5-F8BE832B4A07\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"12.0.0\",\"versionEndExcluding\":\"12.0.8\",\"matchCriteriaId\":\"C0821B6B-AC98-4A9D-973D-12E2063DF866\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*\",\"versionStartIncluding\":\"12.1.0\",\"versionEndExcluding\":\"12.1.5\",\"matchCriteriaId\":\"993757EB-FCCD-4B3B-B23A-00EA8B1AFF52\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"12.1.0\",\"versionEndExcluding\":\"12.1.5\",\"matchCriteriaId\":\"FB947690-25AC-4597-80B3-9034CE94B8C7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*\",\"versionStartIncluding\":\"12.2.0\",\"versionEndExcluding\":\"12.2.3\",\"matchCriteriaId\":\"A87029A0-871D-4130-A240-7A64990573F5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*\",\"versionStartIncluding\":\"12.2.0\",\"versionEndExcluding\":\"12.2.3\",\"matchCriteriaId\":\"B3E99C8B-08A8-4672-8ED2-E8CE2F3DCD4A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:12.3.0:*:*:*:-:*:*:*\",\"matchCriteriaId\":\"9BE4EE19-92B3-4B1D-97BE-76194B38DA2A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:grafana:grafana:12.3.0:*:*:*:enterprise:*:*:*\",\"matchCriteriaId\":\"EB9EC106-6F33-4834-B59D-6633BB83B6A5\"}]}]}],\"references\":[{\"url\":\"https://grafana.com/security/security-advisories/cve-2026-21720\",\"source\":\"security@grafana.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-21720\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2433226\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"},{\"url\":\"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21720.json\",\"source\":\"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"grafana: Grafana: Denial of Service via resource exhaustion from avatar requests\", \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Important\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"cpes\": [\"cpe:/a:redhat:ceph_storage:7\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ceph Storage 7\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:ceph_storage:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Ceph Storage 8\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:10\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 10\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:8\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 8\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/o:redhat:enterprise_linux:9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat Enterprise Linux 9\", \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-01-27T10:01:10.677Z\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2026-01-27T09:07:04.758Z\", \"value\": \"Made public.\"}], \"x_adpType\": \"supplier\", \"datePublic\": \"2026-01-27T09:07:04.758Z\", \"references\": [{\"url\": \"https://access.redhat.com/security/cve/CVE-2026-21720\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2433226\", \"name\": \"RHBZ#2433226\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21720.json\", \"tags\": [\"x_sadp-csaf-vex\"]}], \"x_generator\": {\"engine\": \"sadp-cli 1.0.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A flaw was found in Grafana. A remote attacker can exploit this vulnerability by sending a sustained volume of uncached /avatar/:hash requests. This action causes the system to create and block goroutines, which are lightweight concurrent functions, leading to a continuous increase in memory usage. Over time, this resource exhaustion can cause Grafana to crash, resulting in a Denial of Service (DoS).\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-772\", \"description\": \"Missing Release of Resource after Effective Lifetime\"}]}], \"providerMetadata\": {\"orgId\": \"0b0ca135-0b70-47e7-9f44-1890c2a1c46c\", \"shortName\": \"redhat-SADP\", \"dateUpdated\": \"2026-06-30T12:06:49.515Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-21720\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-27T14:28:02.795937Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400 Uncontrolled Resource Consumption\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-703\", \"description\": \"CWE-703 Improper Check or Handling of Exceptional Conditions\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-27T14:27:05.963Z\"}}], \"cna\": {\"title\": \"Unauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out\", \"source\": {\"discovery\": \"BUG_BOUNTY\"}, \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\"}}], \"affected\": [{\"vendor\": \"Grafana\", \"product\": \"grafana/grafana-enterprise\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.0.0\", \"lessThan\": \"11.6.9\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Grafana\", \"product\": \"grafana/grafana-enterprise\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.0.0\", \"lessThan\": \"12.0.8\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Grafana\", \"product\": \"grafana/grafana-enterprise\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.0.0\", \"lessThan\": \"12.1.5\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Grafana\", \"product\": \"grafana/grafana\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.0.0\", \"lessThan\": \"11.6.9\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Grafana\", \"product\": \"grafana/grafana\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.0.0\", \"lessThan\": \"12.0.8\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Grafana\", \"product\": \"grafana/grafana\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.0.0\", \"lessThan\": \"12.1.5\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Grafana\", \"product\": \"grafana/grafana-enterprise\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.0.0\", \"lessThan\": \"12.2.3\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Grafana\", \"product\": \"grafana/grafana\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.0.0\", \"lessThan\": \"12.2.3\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Grafana\", \"product\": \"grafana/grafana-enterprise\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.0.0\", \"lessThan\": \"12.3.1\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Grafana\", \"product\": \"grafana/grafana\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.0.0\", \"lessThan\": \"12.3.1\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-01-27T09:03:09.893Z\", \"references\": [{\"url\": \"https://grafana.com/security/security-advisories/cve-2026-21720\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.\", \"supportingMedia\": [{\"type\": \"text/markdown\", \"value\": \"Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.\"}]}], \"providerMetadata\": {\"orgId\": \"57da9224-a3e2-4646-9d0e-c4dc2e05e7da\", \"shortName\": \"GRAFANA\", \"dateUpdated\": \"2026-07-07T21:08:00.521Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-21720\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-07-07T21:08:00.521Z\", \"dateReserved\": \"2026-01-05T09:26:06.214Z\", \"assignerOrgId\": \"57da9224-a3e2-4646-9d0e-c4dc2e05e7da\", \"datePublished\": \"2026-01-27T09:07:04.758Z\", \"assignerShortName\": \"GRAFANA\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…