CVE-2026-41310
Analyzed Analyzed - Analysis Complete
OpenTelemetry.Exporter.Zipkin Remote Endpoint Cache Memory Leak

Publication date: 2026-05-06

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from span attributes. In high-cardinality scenarios, a process using Zipkin export for client or producer spans could experience avoidable memory growth under sustained unique remote endpoint values, increasing process memory usage over time and degrading availability. This issue is fixed in version 1.15.3, which introduces a bounded, thread-safe LRU cache for remote endpoints with a fixed maximum size.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-11
Generated
2026-06-16
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41310
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opentelemetry opentelemetry.exporter.zipkin to 1.15.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in OpenTelemetry.Exporter.Zipkin versions 1.15.2 and earlier. The Zipkin exporter remote endpoint cache allows unbounded growth of keys derived from span attributes. In scenarios where there are many unique remote endpoint values (high-cardinality), this can cause the process to consume increasing amounts of memory over time.

This unbounded memory growth happens because the cache does not limit the number of stored keys, leading to avoidable memory usage increase and potentially degrading the availability of the process using the Zipkin exporter.

The issue is fixed in version 1.15.3 by introducing a bounded, thread-safe Least Recently Used (LRU) cache with a fixed maximum size for remote endpoints.

Impact Analysis

This vulnerability can lead to increased memory usage in processes that use the Zipkin exporter for client or producer spans, especially in environments with many unique remote endpoint values.

The avoidable memory growth can degrade the availability of the affected process by consuming excessive system resources, potentially causing slowdowns or crashes over time.

Mitigation Strategies

To mitigate this vulnerability, upgrade OpenTelemetry.Exporter.Zipkin to version 1.15.3 or later, which includes a fix by introducing a bounded, thread-safe LRU cache for remote endpoints with a fixed maximum size.

Compliance Impact

This vulnerability causes unbounded memory growth in the Zipkin exporter remote endpoint cache, which can degrade system availability over time. However, there is no indication that it impacts confidentiality or integrity of data.

Since the vulnerability primarily affects availability and does not involve unauthorized access or data leakage, its direct impact on compliance with standards like GDPR or HIPAAβ€”which focus on data privacy and protectionβ€”is limited.

Nonetheless, degraded availability could indirectly affect compliance if it disrupts critical systems or services required to meet regulatory obligations.

Detection Guidance

This vulnerability involves unbounded memory growth in the Zipkin exporter remote endpoint cache due to high-cardinality span attributes. Detection would primarily focus on monitoring the memory usage of processes using OpenTelemetry.Exporter.Zipkin versions 1.15.2 or earlier.

You can detect potential exploitation or presence of this vulnerability by observing unusually high or steadily increasing memory consumption in applications using the affected Zipkin exporter versions.

Suggested commands to monitor memory usage on your system include:

  • On Linux, use: `top` or `htop` to monitor process memory usage in real time.
  • Use `ps aux --sort=-rss | grep <process_name>` to find processes consuming the most memory.
  • Use `pmap <pid>` to inspect the memory map of a specific process.
  • If you have application logs or telemetry, look for unusually high cardinality in span attributes or logs indicating many unique remote endpoint values.

There are no specific network commands or signatures provided to detect this vulnerability directly from network traffic, as it is related to internal memory usage patterns within the Zipkin exporter.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41310. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart