CVE-2026-21728
Modified
Modified - Updated After Analysis
BaseFortify
Vulnerability report for CVE-2026-21728, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-04-24
Last updated on: 2026-06-30
Assigner: Grafana Labs
Description
Description
Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy.
Mitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^18).
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grafana | tempo | From 1.3.0 (inc) to 2.8.4 (exc) |
| grafana | tempo | From 2.10.0 (inc) to 2.10.2 (exc) |
| grafana | tempo | From 2.9.0 (inc) to 2.9.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |