FKIE_CVE-2026-21720

Vulnerability from fkie_nvd - Published: 2026-01-27 09:15 - Updated: 2026-02-17 20:06
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
References
security@grafana.comhttps://grafana.com/security/security-advisories/CVE-2026-21720Broken Link
Impacted products
Vendor Product Version
grafana grafana *
grafana grafana *
grafana grafana *
grafana grafana *
grafana grafana *
grafana grafana *
grafana grafana *
grafana grafana *
grafana grafana 12.3.0
grafana grafana 12.3.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*",
              "matchCriteriaId": "215EC0E7-BF4E-460F-893F-3D5E56692D65",
              "versionEndExcluding": "11.6.9",
              "versionStartIncluding": "3.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "4D528EF4-2414-4A32-BA0E-16FA15EE1D52",
              "versionEndExcluding": "11.6.9",
              "versionStartIncluding": "3.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*",
              "matchCriteriaId": "C3E78D4A-A206-4BD4-BBE5-F8BE832B4A07",
              "versionEndExcluding": "12.0.8",
              "versionStartIncluding": "12.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "C0821B6B-AC98-4A9D-973D-12E2063DF866",
              "versionEndExcluding": "12.0.8",
              "versionStartIncluding": "12.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*",
              "matchCriteriaId": "993757EB-FCCD-4B3B-B23A-00EA8B1AFF52",
              "versionEndExcluding": "12.1.5",
              "versionStartIncluding": "12.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "FB947690-25AC-4597-80B3-9034CE94B8C7",
              "versionEndExcluding": "12.1.5",
              "versionStartIncluding": "12.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:-:*:*:*",
              "matchCriteriaId": "A87029A0-871D-4130-A240-7A64990573F5",
              "versionEndExcluding": "12.2.3",
              "versionStartIncluding": "12.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:grafana:grafana:*:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "B3E99C8B-08A8-4672-8ED2-E8CE2F3DCD4A",
              "versionEndExcluding": "12.2.3",
              "versionStartIncluding": "12.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:grafana:grafana:12.3.0:*:*:*:-:*:*:*",
              "matchCriteriaId": "9BE4EE19-92B3-4B1D-97BE-76194B38DA2A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:grafana:grafana:12.3.0:*:*:*:enterprise:*:*:*",
              "matchCriteriaId": "EB9EC106-6F33-4834-B59D-6633BB83B6A5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems."
    },
    {
      "lang": "es",
      "value": "Cada solicitud sin cach\u00e9 a /avatar/:hash lanza una goroutine que actualiza la imagen de Gravatar. Si la actualizaci\u00f3n permanece en la cola de trabajadores de 10 ranuras por m\u00e1s de tres segundos, el manejador agota el tiempo de espera y deja de escuchar el resultado, de modo que esa goroutine se bloquea para siempre intentando enviar en un canal sin b\u00fafer. El tr\u00e1fico sostenido con hashes aleatorios sigue activando este tiempo de espera, por lo que el recuento de goroutines crece linealmente, agotando la memoria con el tiempo y provocando que Grafana falle en algunos sistemas."
    }
  ],
  "id": "CVE-2026-21720",
  "lastModified": "2026-02-17T20:06:27.733",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security@grafana.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-27T09:15:48.490",
  "references": [
    {
      "source": "security@grafana.com",
      "tags": [
        "Broken Link"
      ],
      "url": "https://grafana.com/security/security-advisories/CVE-2026-21720"
    }
  ],
  "sourceIdentifier": "security@grafana.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        },
        {
          "lang": "en",
          "value": "CWE-703"
        }
      ],
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.