Description
OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from span attributes. In high-cardinality scenarios, a process using Zipkin export for client or producer spans could experience avoidable memory growth under sustained unique remote endpoint values, increasing process memory usage over time and degrading availability. This issue is fixed in version 1.15.3, which introduces a bounded, thread-safe LRU cache for remote endpoints with a fixed maximum size.
Published: 2026-05-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenTelemetry.Exporter.Zipkin in .NET versions 1.15.2 and earlier stores remote endpoint information in an unbounded cache whose keys are derived from span attributes. When a process generates many unique span attributes—especially in high‑cardinality scenarios—the cache grows without limit, causing the process memory usage to increase over time and potentially leading to resource exhaustion. This flaw is a form of uncontrolled resource consumption (CWE‑400, CWE‑770) rather than an authentication bypass or code‑execution bug.

Affected Systems

The vulnerability affects the OpenTelemetry .NET Zipkin exporter, a component of the open‑telemetry:opentelemetry-dotnet product. All releases up to and including 1.15.2 are affected; versions 1.15.3 and later contain a bounded, thread‑safe LRU cache that limits the number of cached endpoints.

Risk and Exploitability

The reported CVSS score of 5.3 indicates medium severity, and the EPSS score is not available, suggesting no high exploitation probability data. The vulnerability is not listed in CISA’s KEV catalog, implying no known widespread exploitation. The likely attack vector involves a client or producer application that emits traces with a large variety of span attributes, causing sustained growth of the internal cache. A malicious actor could craft such high‑cardinality spans to trigger the memory surge, potentially exhausting resources and impacting service availability.

Generated by OpenCVE AI on May 6, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OpenTelemetry .NET package to version 1.15.3 or later to gain the bounded LRU cache that limits endpoint storage.
  • If an upgrade is not immediately possible, reduce the cardinality of span attributes that influence remote endpoint determination or otherwise limit the variety of remote endpoint values recorded.
  • Continuously monitor application memory consumption for abnormal growth patterns and investigate any sustained increases that could indicate exploitation of the unbounded cache.

Generated by OpenCVE AI on May 6, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-88hf-wf7h-7w4m OpenTelemetry's Zipkin remote endpoint cache could grow without bounds and increase memory pressure
History

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Opentelemetry
Opentelemetry opentelemetry-dotnet
Vendors & Products Opentelemetry
Opentelemetry opentelemetry-dotnet

Wed, 06 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from span attributes. In high-cardinality scenarios, a process using Zipkin export for client or producer spans could experience avoidable memory growth under sustained unique remote endpoint values, increasing process memory usage over time and degrading availability. This issue is fixed in version 1.15.3, which introduces a bounded, thread-safe LRU cache for remote endpoints with a fixed maximum size.
Title OpenTelemetry .NET Zipkin exporter has unbounded remote endpoint cache leading to memory growth
Weaknesses CWE-400
CWE-770
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Opentelemetry Opentelemetry-dotnet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T13:19:12.396Z

Reserved: 2026-04-20T14:01:46.670Z

Link: CVE-2026-41310

cve-icon Vulnrichment

Updated: 2026-05-07T13:18:52.744Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T22:16:25.643

Modified: 2026-05-07T15:04:40.967

Link: CVE-2026-41310

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T22:45:13Z

Weaknesses