diff --git a/pkg/ingester/pyroscope/ingest_handler.go b/pkg/ingester/pyroscope/ingest_handler.go
index 3fce178315..26338a7a46 100644
--- a/pkg/ingester/pyroscope/ingest_handler.go
+++ b/pkg/ingester/pyroscope/ingest_handler.go
@@ -124,7 +124,7 @@ func (h ingestHandler) parseInputMetadataFromRequest(_ context.Context, r *http.
 	}
 
 	if sr := q.Get("sampleRate"); sr != "" {
-		sampleRate, err := strconv.Atoi(sr)
+		sampleRate, err := strconv.ParseUint(sr, 10, 32)
 		if err != nil {
 			_ = h.log.Log(
 				"err", err,
diff --git a/pkg/metastore/fsm/log_entry.go b/pkg/metastore/fsm/log_entry.go
index beffb7a2cc..a5db11d1f9 100644
--- a/pkg/metastore/fsm/log_entry.go
+++ b/pkg/metastore/fsm/log_entry.go
@@ -58,6 +58,10 @@ func marshal(v proto.Message) ([]byte, error) {
 	if err != nil {
 		return raw, err
 	}
+	maxRawSize := 64 * 1024 * 1024 // 64 MB guard
+	if len(raw) > maxRawSize {
+		return nil, fmt.Errorf("marshaled message too large: %d bytes", len(raw))
+	}
 	buf := make([]byte, 4+len(raw))
 	copy(buf[4:], raw)
 	return buf, err
diff --git a/pkg/og/util/bytesize/bytesize.go b/pkg/og/util/bytesize/bytesize.go
index 9a2ffe2f75..b22ed2b4ee 100644
--- a/pkg/og/util/bytesize/bytesize.go
+++ b/pkg/og/util/bytesize/bytesize.go
@@ -3,6 +3,7 @@ package bytesize
 import (
 	"errors"
 	"fmt"
+	"math"
 	"regexp"
 	"strconv"
 	"strings"
@@ -88,6 +89,9 @@ func Parse(str string) (ByteSize, error) {
 	if err != nil {
 		return 0, errParse
 	}
+	if val > uint64(math.MaxInt64) {
+		return 0, errParse
+	}
 	return ByteSize(val) * multiplier, nil
 }
 
diff --git a/pkg/querier/replication.go b/pkg/querier/replication.go
index fdcf1dfd4f..2189a8bd81 100644
--- a/pkg/querier/replication.go
+++ b/pkg/querier/replication.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"sort"
+	"math"
 
 	"github.com/cespare/xxhash/v2"
 	"github.com/go-kit/log"
@@ -249,6 +250,15 @@ func (r *replicasPerBlockID) pruneIncompleteShardedBlocks() (bool, error) {
 				// not a sharded block continue
 				continue
 			}
+
+			// Bounds check before converting shards and using as slice length or index
+			if shards == 0 || shards > uint64(math.MaxInt) {
+				return false, fmt.Errorf("invalid shard count (must be 1..%d), got: %d, for block id %s", math.MaxInt, shards, block)
+			}
+			if shardIdx >= shards {
+				return false, fmt.Errorf("invalid shardIdx: %d for shard count %d", shardIdx, shards)
+			}
+
 			hasShardedBlocks = true
 			shardedBlocks = append(shardedBlocks, block)
 
diff --git a/pkg/storegateway/gateway_blocks_http.go b/pkg/storegateway/gateway_blocks_http.go
index a5f105d02c..22ae301d71 100644
--- a/pkg/storegateway/gateway_blocks_http.go
+++ b/pkg/storegateway/gateway_blocks_http.go
@@ -10,6 +10,7 @@ import (
 	"path/filepath"
 	"strconv"
 	"time"
+	"math"
 
 	"github.com/dustin/go-humanize"
 	"github.com/gorilla/mux"
@@ -74,9 +75,11 @@ func (s *StoreGateway) BlocksHandler(w http.ResponseWriter, req *http.Request) {
 	showParents := req.Form.Get("show_parents") == "on"
 	var splitCount int
 	if sc := req.Form.Get("split_count"); sc != "" {
-		splitCount, _ = strconv.Atoi(sc)
-		if splitCount < 0 {
+		parsed, _ := strconv.ParseInt(sc, 10, 32)
+		if parsed < 0 || parsed > int64(math.MaxUint32) {
 			splitCount = 0
+		} else {
+			splitCount = int(parsed)
 		}
 	}