CVE-2026-29181
CPU Amplification via Header Parsing in OpenTelemetry-Go Baggage
Publication date: 2026-04-07
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opentelemetry | opentelemetry | From 1.36.0 (inc) to 1.41.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in OpenTelemetry-Go versions 1.36.0 to 1.40.0 in the way it processes multi-value baggage headers. Specifically, the header extraction parses each header field-value independently and aggregates members across values. This behavior allows an attacker to send many baggage header lines, which can amplify CPU usage and memory allocations, even if each individual value is within the 8192-byte per-value parse limit.
This can lead to excessive resource consumption on the affected system.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to cause high CPU usage and increased memory allocations on systems running vulnerable versions of OpenTelemetry-Go. This can degrade system performance or potentially lead to denial of service conditions due to resource exhaustion.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade OpenTelemetry-Go to version 1.41.0 or later, where the issue is fixed.