CVE-2026-21720
- Source
- https://cve.org/CVERecord?id=CVE-2026-21720
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-21720.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-21720
- Aliases
- Downstream
- Related
- Published
- 2026-01-27T09:15:48.490Z
- Modified
- 2026-04-10T15:29:16.301341310Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
- References
Affected packages
Git / github.com/grafana/grafana
Affected ranges
- Type
- GIT
- Repo
- https://github.com/grafana/grafana
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "3.0.0" }, { "fixed": "11.6.9" }, { "introduced": "3.0.0" }, { "fixed": "11.6.9" }, { "introduced": "12.0.0" }, { "fixed": "12.0.8" }, { "introduced": "12.0.0" }, { "fixed": "12.0.8" }, { "introduced": "12.1.0" }, { "fixed": "12.1.5" }, { "introduced": "12.1.0" }, { "fixed": "12.1.5" }, { "introduced": "12.2.0" }, { "fixed": "12.2.3" }, { "introduced": "12.2.0" }, { "fixed": "12.2.3" }, { "introduced": "0" }, { "last_affected": "12.3.0" }, { "introduced": "0" }, { "last_affected": "12.3.0" } ] }
Affected versions
pkg/promlib/v0.*
pkg/promlib/v0.0.1
pkg/promlib/v0.0.2
pkg/promlib/v0.0.3
pkg/promlib/v0.0.4
pkg/promlib/v0.0.5
pkg/promlib/v0.0.6
pkg/promlib/v0.0.7
pkg/promlib/v0.0.8
pkg/util/xorm/v0.*
pkg/util/xorm/v0.0.1
v0.*
v0.0.0-cloud
v0.0.1-test
v1.*
v1.0.1
v1.0.2
v1.0.3
v1.0.4
v1.1.0
v1.2.0
v1.3.0
v1.4.0
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.6.0
v1.6.1
v1.7.0-rc1
v1.9.0
v1.9.0-rc1
v1.9.1
v10.*
v10.0.0-preview
v11.*
v11.6.0
v11.6.2
v11.6.4
v11.6.5
v11.6.6
v11.6.7
v11.6.8
v12.*
v12.0.3
v12.0.4
v12.0.5
v12.0.6
v12.0.6+security-01
v12.0.7
v12.1.0
v12.1.1
v12.1.2
v12.1.3
v12.1.4
v12.2.1
v12.2.2
v12.3.0
v2.*
v2.0.0-beta1
v2.0.0-beta3
v2.0.1
v2.0.2
v2.5.0
v2.6.0
v2.6.0-beta1
v3.*
v3.0.0-beta6
v3.0.0-beta7
v3.0.1
v3.0.2
v3.1.0-beta1
v3.2.1-test
v4.*
v4.4.0
v4.5.0
v4.5.0-beta1
v4.6.0-beta1
v5.*
v5.,2.4
v5.0.0
v5.0.0-beta1
v5.0.0-beta2
v5.0.0-beta3
v5.0.0-beta4
v5.0.0-beta5
v6.*
v6.0.0-beta1
v6.5
v8.*
v8.3.3
v8.4.0-beta1
v8.5.16
v9.*
v9.3.0-beta1