VDB
CVE-2026-21720
CVE-2026-21720
PUBLISHED
Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems.
EPSS 0.04% · 11.2th percentile
Risk Scores
EPSS Score
0.04%
11.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | grafana | 12.0.0, 12.1.0, 12.2.0 |
| Bitnami | grafana | 12.0.0, 12.1.0, 12.2.0 |
Exploit Intelligence
- CIRCL seen: CVE-2026-21720 (circl-sighting)
- https://grafana.com/security/security-advisories/cve-2026-21720 (circl)
Timeline
- Jan 27, 2026 EPSS Score
- Jan 27, 2026 CVE Published
- Jan 27, 2026 PoC Published
- Jan 30, 2026 EPSS Score
- Feb 1, 2026 EPSS Score
- Feb 4, 2026 EPSS Score
- Feb 6, 2026 EPSS Score
- Feb 9, 2026 EPSS Score
- Feb 11, 2026 EPSS Score
- Feb 14, 2026 EPSS Score
- Feb 16, 2026 EPSS Score
- Feb 18, 2026 CVE Updated