CVE-2026-41078

MEDIUM

OpenTelemetry dotnet: Potential memory exhaustion via unbounded pooled-list sizing in Jaeger exporter conversion path

Title source: cna

Description

OpenTelemetry dotnet is a dotnet telemetry framework. In 1.6.0-rc.1 and earlier, OpenTelemetry.Exporter.Jaeger may allow sustained memory pressure when the internal pooled-list sizing grows based on a large observed span/tag set and that enlarged size is reused for subsequent allocations. Under high-cardinality or attacker-influenced telemetry input, this can increase memory consumption and potentially cause denial of service. There is no plan to fix this issue as OpenTelemetry.Exporter.Jaeger was deprecated in 2023.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-38h3-2333-qx47

Scores

CVSS v3 5.9

EPSS 0.0022

EPSS Percentile 12.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (5)

nuget/OpenTelemetry.Exporter.Jaeger 0NuGet

open-telemetry/opentelemetry-dotnet <= 1.6.0-rc.1

open-telemetry/OpenTelemetry.Exporter.Jaeger <= 1.6.0-rc.1

opentelemetry/opentelemetry 1.6.0 alpha1 (5 CPE variants)

opentelemetry/opentelemetry < 1.6.0

Published Apr 23, 2026

Tracked Since Apr 24, 2026