logo

Database

Asymmetric denial of service In github.com/grafana/tempo

Description

Grafana Tempo has an Uncontrolled Resource Consumption issue Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy.

Mitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^18).

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-217282. NVD-2026-217283. OSV-2026-217284. GCVE-2026-21728

References

1. https://github.com/grafana/tempo/pull/65252. https://github.com/grafana/tempo/commit/650eb1985a0776789c8564122990f588a742356f3. https://github.com/grafana/tempo/blob/4dc3e5b0d3463a0b67498b662b85a148698b4afd/docs/sources/tempo/release-notes/version-2/v2-10.md?plain=1#L3284. https://github.com/grafana/tempo/blob/4dc3e5b0d3463a0b67498b662b85a148698b4afd/docs/sources/tempo/release-notes/version-2/v2-8.md?plain=1#L2515. https://github.com/grafana/tempo/blob/4dc3e5b0d3463a0b67498b662b85a148698b4afd/docs/sources/tempo/release-notes/version-2/v2-9.md?plain=1#L2246. https://grafana.com/security/security-advisories/cve-2026-21728

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.