Tempo query limit results in unbounded memory allocation_CVE-2026-21728

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy.

Mitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^18).

Basic Information

ID CVE-2026-21728

Source GRAFANA

Published Apr 24, 2026 at 08:00

Affected Product

Vendor Grafana

Product Tempo

Version v1.3.0

Affected Versions Grafana Tempo v1.3.0

References

grafana.com /security/security-advisories/cve-2026-21728

{
    "lastseen": "",
    "description": "Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy.\n\nMitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^18).",
    "published": "2026-04-24T08:00:47.074Z",
    "modified": "2026-04-24T08:00:47.074Z",
    "type": "cve",
    "title": "Tempo query limit results in unbounded memory allocation",
    "source": "GRAFANA",
    "references": "https://grafana.com/security/security-advisories/cve-2026-21728",
    "id": "CVE-2026-21728",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Grafana Tempo v1.3.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Tempo",
    "version": "v1.3.0",
    "vendor": "Grafana",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

References

💭 Join the Security Discussion ❌ Cancel Reply