Description
OpenTelemetry dotnet is a dotnet telemetry framework. In 1.6.0-rc.1 and earlier, OpenTelemetry.Exporter.Jaeger may allow sustained memory pressure when the internal pooled-list sizing grows based on a large observed span/tag set and that enlarged size is reused for subsequent allocations. Under high-cardinality or attacker-influenced telemetry input, this can increase memory consumption and potentially cause denial of service. There is no plan to fix this issue as OpenTelemetry.Exporter.Jaeger was deprecated in 2023.
Published: 2026-04-23
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory exhaustion leading to denial of service
Action: Disable Exporter
AI Analysis

Impact

The Jaeger exporter in OpenTelemetry dotnet inflates its internal pooled‑list sizing based on the number of spans and tags observed. When a user or attacker supplies telemetry with very high cardinality, the list grows without bounds and the enlarged size is then reused by subsequent allocations. This sustained increase in memory consumption can deplete an application’s heap and result in denial of service. The flaw is a classic unbounded allocation weakness marked as CWE‑770 and is present in all releases 1.6.0‑rc.1 and earlier.

Affected Systems

The affected components are the OpenTelemetry.Exporter.Jaeger library and the opentelemetry-dotnet SDK, both maintained by the OpenTelemetry project. Versions 1.6.0‑rc.1 and earlier are vulnerable; the Jaeger exporter was deprecated in 2023, so newer releases no longer include the vulnerable code.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, while the EPSS score of less than 1% reflects a very low exploitation probability at the time of analysis. The vulnerability is not listed in CISA’s KEV catalog. Because the attack requires the attacker to influence the content of telemetry streams, the likely vector is an application or infrastructure component that accepts untrusted telemetry data. There is no official fix, so the risk persists until the exporter is removed or the application mitigates cardinality of telemetry.

Generated by OpenCVE AI on April 28, 2026 at 14:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Remove or disable the OpenTelemetry.Exporter.Jaeger from all affected deployments.
  • Upgrade the opentelemetry-dotnet SDK to a release that no longer contains the Jaeger exporter or that hard‑limits pooled‑list sizing.
  • If removal or upgrade is not feasible, enforce strict limits on span/tag cardinality or sanitize incoming telemetry before it reaches the exporter to prevent list growth.

Generated by OpenCVE AI on April 28, 2026 at 14:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-38h3-2333-qx47 OpenTelemetry .NET has potential memory exhaustion via unbounded pooled-list sizing in Jaeger exporter conversion path
History

Tue, 28 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Opentelemetry opentelemetry
CPEs cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:.net:*:*
cpe:2.3:a:opentelemetry:opentelemetry:1.6.0:alpha1:*:*:*:.net:*:*
cpe:2.3:a:opentelemetry:opentelemetry:1.6.0:beta1:*:*:*:.net:*:*
cpe:2.3:a:opentelemetry:opentelemetry:1.6.0:beta2:*:*:*:.net:*:*
cpe:2.3:a:opentelemetry:opentelemetry:1.6.0:beta3:*:*:*:.net:*:*
cpe:2.3:a:opentelemetry:opentelemetry:1.6.0:rc1:*:*:*:.net:*:*
Vendors & Products Opentelemetry opentelemetry

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Opentelemetry
Opentelemetry opentelemetry-dotnet
Opentelemetry opentelemetry.exporter.jaeger
Vendors & Products Opentelemetry
Opentelemetry opentelemetry-dotnet
Opentelemetry opentelemetry.exporter.jaeger

Thu, 23 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description OpenTelemetry dotnet is a dotnet telemetry framework. In 1.6.0-rc.1 and earlier, OpenTelemetry.Exporter.Jaeger may allow sustained memory pressure when the internal pooled-list sizing grows based on a large observed span/tag set and that enlarged size is reused for subsequent allocations. Under high-cardinality or attacker-influenced telemetry input, this can increase memory consumption and potentially cause denial of service. There is no plan to fix this issue as OpenTelemetry.Exporter.Jaeger was deprecated in 2023.
Title OpenTelemetry dotnet: Potential memory exhaustion via unbounded pooled-list sizing in Jaeger exporter conversion path
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Opentelemetry Opentelemetry Opentelemetry-dotnet Opentelemetry.exporter.jaeger
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T18:52:26.466Z

Reserved: 2026-04-16T16:43:03.176Z

Link: CVE-2026-41078

cve-icon Vulnrichment

Updated: 2026-04-23T18:52:10.472Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T19:17:28.950

Modified: 2026-04-28T19:24:14.040

Link: CVE-2026-41078

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:00:14Z

Weaknesses