CVE-2026-21720
Unknown Unknown - Not Provided
Goroutine Leak in Grafana /avatar/ Handler Causes Memory Exhaustion

Publication date: 2026-01-27

Last updated on: 2026-02-17

Assigner: Grafana Labs

Description
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-27
Last Modified
2026-02-17
Generated
2026-06-16
AI Q&A
2026-01-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21720
EUVD
EUVD-2026-4841
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
grafana grafana From 12.0.0 (inc) to 12.0.8 (exc)
grafana grafana From 12.1.0 (inc) to 12.1.5 (exc)
grafana grafana From 12.2.0 (inc) to 12.2.3 (exc)
grafana grafana From 3.0.0 (inc) to 11.6.9 (exc)
grafana grafana From 12.0.0 (inc) to 12.0.8 (exc)
grafana grafana From 12.1.0 (inc) to 12.1.5 (exc)
grafana grafana From 12.2.0 (inc) to 12.2.3 (exc)
grafana grafana From 3.0.0 (inc) to 11.6.9 (exc)
grafana grafana 12.3.0
grafana grafana 12.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

You can detect this vulnerability by monitoring the number of goroutines in the Grafana process. A steadily increasing goroutine count indicates the issue. Additionally, observing Grafana crashes or high memory usage under sustained traffic with random /avatar/:hash requests can be a sign. Specific commands include using 'ps' or 'top' to monitor Grafana memory usage, and 'curl' or similar tools to simulate /avatar/:hash requests to test behavior. However, no exact commands are provided in the available information.

Impact Analysis

The vulnerability can lead to memory exhaustion due to an increasing number of blocked goroutines, which can cause Grafana to crash on affected systems. This can result in denial of service, disrupting monitoring and visualization services provided by Grafana.

Executive Summary

This vulnerability occurs because every uncached /avatar/:hash request in Grafana spawns a goroutine to refresh the Gravatar image. If the refresh task waits longer than three seconds in a 10-slot worker queue, the handler times out and stops listening for the result. However, the goroutine remains blocked forever trying to send on an unbuffered channel, causing the number of goroutines to grow linearly with sustained traffic. This eventually exhausts memory and can cause Grafana to crash on some systems.

Mitigation Strategies

Immediate mitigation steps include reducing or blocking traffic that generates uncached /avatar/:hash requests with random hashes to prevent goroutine buildup. Limiting the rate of such requests or applying network-level filtering can help. Restarting the Grafana service may temporarily alleviate memory exhaustion caused by the goroutine leak. No specific patches or configuration changes are detailed in the provided information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21720. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart