CVE-2026-41310
OpenTelemetry.Exporter.Zipkin Remote Endpoint Cache Memory Leak
Publication date: 2026-05-06
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opentelemetry | opentelemetry.exporter.zipkin | to 1.15.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in OpenTelemetry.Exporter.Zipkin versions 1.15.2 and earlier. The Zipkin exporter remote endpoint cache allows unbounded growth of keys derived from span attributes. In scenarios where there are many unique remote endpoint values (high-cardinality), this can cause the process to consume increasing amounts of memory over time.
This unbounded memory growth happens because the cache does not limit the number of stored keys, leading to avoidable memory usage increase and potentially degrading the availability of the process using the Zipkin exporter.
The issue is fixed in version 1.15.3 by introducing a bounded, thread-safe Least Recently Used (LRU) cache with a fixed maximum size for remote endpoints.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes unbounded memory growth in the Zipkin exporter remote endpoint cache, which can degrade system availability over time. However, there is no indication that it impacts confidentiality or integrity of data.
Since the vulnerability primarily affects availability and does not involve unauthorized access or data leakage, its direct impact on compliance with standards like GDPR or HIPAAβwhich focus on data privacy and protectionβis limited.
Nonetheless, degraded availability could indirectly affect compliance if it disrupts critical systems or services required to meet regulatory obligations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unbounded memory growth in the Zipkin exporter remote endpoint cache due to high-cardinality span attributes. Detection would primarily focus on monitoring the memory usage of processes using OpenTelemetry.Exporter.Zipkin versions 1.15.2 or earlier.
You can detect potential exploitation or presence of this vulnerability by observing unusually high or steadily increasing memory consumption in applications using the affected Zipkin exporter versions.
Suggested commands to monitor memory usage on your system include:
- On Linux, use: `top` or `htop` to monitor process memory usage in real time.
- Use `ps aux --sort=-rss | grep <process_name>` to find processes consuming the most memory.
- Use `pmap <pid>` to inspect the memory map of a specific process.
- If you have application logs or telemetry, look for unusually high cardinality in span attributes or logs indicating many unique remote endpoint values.
There are no specific network commands or signatures provided to detect this vulnerability directly from network traffic, as it is related to internal memory usage patterns within the Zipkin exporter.
How can this vulnerability impact me? :
This vulnerability can lead to increased memory usage in processes that use the Zipkin exporter for client or producer spans, especially in environments with many unique remote endpoint values.
The avoidable memory growth can degrade the availability of the affected process by consuming excessive system resources, potentially causing slowdowns or crashes over time.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade OpenTelemetry.Exporter.Zipkin to version 1.15.3 or later, which includes a fix by introducing a bounded, thread-safe LRU cache for remote endpoints with a fixed maximum size.