CVE-2026-41310
MEDIUMOpenTelemetry .NET Zipkin exporter has unbounded remote endpoint cache leading to memory growth
Title source: cnaDescription
OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from span attributes. In high-cardinality scenarios, a process using Zipkin export for client or producer spans could experience avoidable memory growth under sustained unique remote endpoint values, increasing process memory usage over time and degrading availability. This issue is fixed in version 1.15.3, which introduces a bounded, thread-safe LRU cache for remote endpoints with a fixed maximum size.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-88hf-wf7h-7w4m
X_Refsource_Misc x_refsource_misc
https://github.com/open-telemetry/opentelemetry-dotnet/pull/7081
Scores
CVSS v3
5.3
EPSS
0.0002
EPSS Percentile
4.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-400
CWE-770
Status
published
Products (3)
nuget/OpenTelemetry.Exporter.Zipkin
0 - 1.15.3NuGet
open-telemetry/opentelemetry-dotnet
<= 1.15.2
opentelemetry/opentelemetry.exporter.zipkin
< 1.15.3
Published
May 06, 2026
Tracked Since
May 07, 2026