High severity7.5NVD Advisory· Published Apr 24, 2026· Updated Apr 24, 2026
CVE-2026-21728
CVE-2026-21728
Description
Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy.
Mitigation can be done by setting max_result_limit in the search config, e.g. to 262144 (2^18).
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/grafana/tempoGo | >= 1.3.0, < 2.8.4 | 2.8.4 |
github.com/grafana/tempoGo | >= 2.9.0, < 2.9.2 | 2.9.2 |
github.com/grafana/tempoGo | >= 2.10.0, < 2.10.2 | 2.10.2 |
Patches
1650eb1985a07bugfix: set default max_result_limit for search to 256*1024 (#6525)
4 files changed · +18 −2
CHANGELOG.md+1 −0 modified@@ -1,5 +1,6 @@ ## main / unreleased +* [CHANGE] Set default `max_result_limit` for search to 256*1024 [#6525](https://github.com/grafana/tempo/pull/6525) (@zhxiaogg) * [CHANGE] **BREAKING CHANGE** Remove Opencensus receiver [#6523](https://github.com/grafana/tempo/pull/6523) (@javiermolinar) * [CHANGE] Upgrade Tempo to Go 1.26.0 [#6443](https://github.com/grafana/tempo/pull/6443) (@stoewer) * [CHANGE] Allow duplicate dimensions for span metrics and service graphs. This is a valid use case if using different instrumentation libraries, with spans having "deployment.environment" and others "deployment_environment", for example. [#6288](https://github.com/grafana/tempo/pull/6288) (@carles-grafana)
docs/sources/tempo/configuration/manifest.md+1 −1 modified@@ -397,7 +397,7 @@ query_frontend: concurrent_jobs: 1000 target_bytes_per_job: 104857600 default_result_limit: 20 - max_result_limit: 0 + max_result_limit: 262144 max_duration: 168h0m0s query_backend_after: 15m0s ingester_shards: 3
modules/frontend/config.go+1 −1 modified@@ -94,7 +94,7 @@ func (cfg *Config) RegisterFlagsAndApplyDefaults(string, *flag.FlagSet) { Sharder: SearchSharderConfig{ QueryBackendAfter: 15 * time.Minute, DefaultLimit: 20, - MaxLimit: 0, + MaxLimit: 256 * 1024, MaxDuration: 168 * time.Hour, // 1 week ConcurrentRequests: defaultConcurrentRequests, TargetBytesPerRequest: defaultTargetBytesPerRequest,
modules/frontend/config_test.go+15 −0 added@@ -0,0 +1,15 @@ +package frontend + +import ( + "flag" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestSearchSharderConfigDefaults(t *testing.T) { + cfg := &Config{} + cfg.RegisterFlagsAndApplyDefaults("", &flag.FlagSet{}) + + assert.Equal(t, uint32(256*1024), cfg.Search.Sharder.MaxLimit) +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-p4r4-xvrq-gvmcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-21728ghsaADVISORY
- github.com/grafana/tempo/blob/4dc3e5b0d3463a0b67498b662b85a148698b4afd/docs/sources/tempo/release-notes/version-2/v2-10.mdghsaWEB
- github.com/grafana/tempo/blob/4dc3e5b0d3463a0b67498b662b85a148698b4afd/docs/sources/tempo/release-notes/version-2/v2-8.mdghsaWEB
- github.com/grafana/tempo/blob/4dc3e5b0d3463a0b67498b662b85a148698b4afd/docs/sources/tempo/release-notes/version-2/v2-9.mdghsaWEB
- github.com/grafana/tempo/commit/650eb1985a0776789c8564122990f588a742356fghsaWEB
- github.com/grafana/tempo/pull/6525ghsaWEB
- grafana.com/security/security-advisories/cve-2026-21728nvdWEB
News mentions
0No linked articles in our index yet.