← Back
2026-04-24 8:0CVE-2026-21728GRAFANA
PUBLISHED5.2

Tempo query limit results in unbounded memory allocation

Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy.

Mitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^18).

Affected products

Grafana

Tempo

< v2.11.0 - AFFECTED

References

grafana.com

https://grafana.com/security/security-advisories/cve-2026-21728

vendor-advisory

GitHub Security Advisories

GHSA-p4r4-xvrq-gvmc

Tempo queries with large limits can cause large memory allocations which can impact the...

https://github.com/advisories/GHSA-p4r4-xvrq-gvmc

Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy.

Mitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^18).

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-21728

grafana.com

https://grafana.com/security/security-advisories/cve-2026-21728

github.com

https://github.com/advisories/GHSA-p4r4-xvrq-gvmc

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-21728
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-21728",
    "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
    "assignerShortName": "GRAFANA",
    "dateUpdated": "2026-04-24T08:00:47.074Z",
    "dateReserved": "2026-01-05T09:26:06.215Z",
    "datePublished": "2026-04-24T08:00:47.074Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "shortName": "GRAFANA",
        "dateUpdated": "2026-04-24T08:00:47.074Z"
      },
      "datePublic": "2026-02-23T07:40:45.862Z",
      "title": "Tempo query limit results in unbounded memory allocation",
      "descriptions": [
        {
          "lang": "en",
          "value": "Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy.\n\nMitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^18)."
        }
      ],
      "affected": [
        {
          "vendor": "Grafana",
          "product": "Tempo",
          "platforms": [
            "OnPrem"
          ],
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "v1.3.0",
              "status": "affected",
              "versionType": "semver",
              "lessThan": "v2.11.0"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://grafana.com/security/security-advisories/cve-2026-21728",
          "tags": [
            "vendor-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "baseScore": 7.5,
            "baseSeverity": "HIGH"
          }
        }
      ]
    }
  }
}