CVE-2026-21720
HIGHUnauthenticated DoS: avatar cache leaks goroutines when /avatar/:hash requests time out
CVSS v3
7.5
HIGH
EPSS Score
0.0%
exploit probability
CISA KEV
No
known exploited
Exploitation
none
SSVC status
Description
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
Technical Details
- CVSS v3 Vector
- 3.1
- Published
- 1/27/2026
- Last Modified
- 2/17/2026
Frequently Asked Questions
What is CVE-2026-21720?
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
Is CVE-2026-21720 actively exploited?
Active exploitation of CVE-2026-21720 has not been confirmed. The EPSS score is 0.0%, indicating the estimated probability of exploitation in the next 30 days.
What is the CVSS score for CVE-2026-21720?
CVE-2026-21720 has a CVSS v3 base score of 7.5 (HIGH severity), with vector string 3.1.
Is CVE-2026-21720 affecting your environment?
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.