Description
OpenTelemetry.Resources.Azure is the .NET resource detector for Azure environments. In versions 1.15.0-beta.1 and earlier, the AzureVmMetaDataRequestor class makes HTTP requests to the Azure VM instance metadata service and reads the response body into memory without any size limit. An attacker who controls the configured endpoint, or who can intercept traffic to it via a man-in-the-middle attack, can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process. As a workaround, disable the Azure VM resource detector or use network-level controls such as firewall rules, mTLS, or a service mesh to prevent man-in-the-middle attacks on the Azure VM instance metadata endpoint. This issue is fixed in version 1.15.1-beta.1, which streams responses rather than buffering them entirely in memory and ignores responses larger than 4 MiB.
Published: 2026-05-06
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to cause the application to allocate an unlimited amount of heap memory by sending a huge response to the Azure VM instance metadata request, which can result in memory pressure, garbage‑collection stalls or an OutOfMemoryException that crashes the process and effectively causes a denial of service.

Affected Systems

The problem exists in the OpenTelemetry.Resources.Azure component of the open-telemetry/opentelemetry-dotnet-contrib project. All releases that are 1.15.0-beta.1 or older are affected. The fix is integrated starting with 1.15.1‑beta.1. The component is used by .NET applications that run on Azure VMs when the Azure VM resource detector is enabled.

Risk and Exploitability

The CVSS score is 5.9, indicating moderate impact. No EPSS data is available and the flaw is not listed in KEV, however the exploit is possible if the attacker can control the endpoint that the detector contacts or can perform a man‑in‑the‑middle against the Azure instance metadata service. The attack path requires only network access to the VM’s metadata endpoint; if the detector is enabled, the vulnerability can be leveraged without local code execution. Therefore, the risk is moderate to high for deployments that expose the metadata endpoint externally.

Generated by OpenCVE AI on May 6, 2026 at 22:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the OpenTelemetry Resources Azure library to version 1.15.1‑beta.1 or later, which streams responses and caps them at 4 MiB.
  • If an upgrade is not immediately possible, disable the Azure VM resource detector in configuration to stop the vulnerable client from making the request.
  • Apply network‑level controls to restrict access to the Azure VM instance metadata endpoint, such as firewall rules, mutual TLS or a service mesh that blocks external or MITM traffic.
  • Monitor application memory usage for unusual spikes that may indicate large metadata responses and ensure only the system’s internal network can reach the endpoint.

Generated by OpenCVE AI on May 6, 2026 at 22:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vc24-j8c5-2vw4 OpenTelemetry.Resources.Azure has an unbounded HTTP response body read
History

Wed, 06 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Opentelemetry
Opentelemetry opentelemetry-dotnet-contrib
Vendors & Products Opentelemetry
Opentelemetry opentelemetry-dotnet-contrib

Wed, 06 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description OpenTelemetry.Resources.Azure is the .NET resource detector for Azure environments. In versions 1.15.0-beta.1 and earlier, the AzureVmMetaDataRequestor class makes HTTP requests to the Azure VM instance metadata service and reads the response body into memory without any size limit. An attacker who controls the configured endpoint, or who can intercept traffic to it via a man-in-the-middle attack, can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process. As a workaround, disable the Azure VM resource detector or use network-level controls such as firewall rules, mTLS, or a service mesh to prevent man-in-the-middle attacks on the Azure VM instance metadata endpoint. This issue is fixed in version 1.15.1-beta.1, which streams responses rather than buffering them entirely in memory and ignores responses larger than 4 MiB.
Title Unbounded HTTP response body read in OpenTelemetry.Resources.Azure
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Opentelemetry Opentelemetry-dotnet-contrib
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-06T20:58:33.021Z

Reserved: 2026-04-20T16:14:19.006Z

Link: CVE-2026-41483

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-06T22:16:25.920

Modified: 2026-05-06T22:16:25.920

Link: CVE-2026-41483

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T22:45:13Z

Weaknesses