CVE-2026-23886
Denial-of-Service in Swift W3C TraceContext via Malformed Header
Publication date: 2026-01-19
Last updated on: 2026-01-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| swift | swift-w3c-trace-context | to 1.0.0-beta.5 (exc) |
| swift | swift-otel | to 1.0.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23886 is a denial-of-service vulnerability in the Swift packages swift-otel and swift-w3c-trace-context. It occurs due to improper input validation of HTTP headers, specifically malformed traceparent headers containing invalid hexadecimal characters. When these malformed headers are processed, the service can crash, causing a denial of service. The issue arises because the software did not properly handle invalid characters in the traceparent header fields (trace ID, span ID, and trace flags), leading to abrupt failures. This vulnerability is fixed in swift-w3c-trace-context version 1.0.0-beta.5 and swift-otel version 1.0.4 by improving error handling and validation of these headers. [1, 4]
How can this vulnerability impact me? :
This vulnerability can allow a remote attacker to cause a denial-of-service (DoS) condition by sending malformed HTTP headers to a service using swift-otel or swift-w3c-trace-context. The malformed headers cause the service to crash, resulting in partial loss of availability. Since the attack requires no privileges or user interaction and can be performed remotely over the network, it can disrupt the normal operation of applications relying on these libraries for tracing and telemetry. [4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or service interruptions in applications using Swift OTel or Swift W3C TraceContext when processing HTTP headers. Specifically, malformed or invalid traceparent HTTP headers containing improper characters may cause the service to crash. Detection could involve capturing and inspecting incoming HTTP headers for malformed traceparent fields or monitoring logs for TraceParentDecodingError or unexpected crashes related to trace context parsing. However, no specific commands or detection tools are provided in the available resources. [1, 4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading to Swift W3C TraceContext version 1.0.0-beta.5 or later and Swift OTel version 1.0.4 or later, which contain patches for this vulnerability. As a workaround, you can disable either the Swift OTel package or the code responsible for extracting trace information from incoming HTTP headers, such as disabling TracingMiddleware that processes these headers, to prevent the crash caused by malformed headers. [4]