CVE-2026-41483
Awaiting Analysis Awaiting Analysis - Queue
Memory Exhaustion in OpenTelemetry .NET Azure Resource Detector

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: GitHub, Inc.

Description
OpenTelemetry.Resources.Azure is the .NET resource detector for Azure environments. In versions 1.15.0-beta.1 and earlier, the AzureVmMetaDataRequestor class makes HTTP requests to the Azure VM instance metadata service and reads the response body into memory without any size limit. An attacker who controls the configured endpoint, or who can intercept traffic to it via a man-in-the-middle attack, can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process. As a workaround, disable the Azure VM resource detector or use network-level controls such as firewall rules, mTLS, or a service mesh to prevent man-in-the-middle attacks on the Azure VM instance metadata endpoint. This issue is fixed in version 1.15.1-beta.1, which streams responses rather than buffering them entirely in memory and ignores responses larger than 4 MiB.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41483
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
opentelemetry resources_azure 1.15.0-beta.1
opentelemetry resources_azure 1.15.1-beta.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in OpenTelemetry.Resources.Azure, specifically in versions 1.15.0-beta.1 and earlier. The AzureVmMetaDataRequestor class makes HTTP requests to the Azure VM instance metadata service and reads the entire response body into memory without any size limit.

An attacker who controls the configured endpoint or can intercept the traffic via a man-in-the-middle attack can send an arbitrarily large response. This causes unbounded heap allocation in the process consuming the response, which can lead to high memory usage, garbage collection delays, or an OutOfMemoryException that crashes the process.

The issue is fixed in version 1.15.1-beta.1 by streaming responses instead of buffering them fully in memory and ignoring responses larger than 4 MiB.

Impact Analysis

This vulnerability can cause your application or service using the affected OpenTelemetry Azure resource detector to consume excessive memory when processing metadata responses.

The excessive memory consumption can lead to high transient memory pressure, delays due to garbage collection, or even an OutOfMemoryException that terminates the process unexpectedly.

Such crashes or performance degradation can disrupt service availability and reliability.

Detection Guidance

This vulnerability involves the AzureVmMetaDataRequestor class in OpenTelemetry.Resources.Azure making HTTP requests to the Azure VM instance metadata service and reading the response body without size limits. Detection would involve identifying if your system is running OpenTelemetry.Resources.Azure version 1.15.0-beta.1 or earlier.

You can check the version of the OpenTelemetry.Resources.Azure package used in your .NET applications. Additionally, monitoring for unusually high memory usage or OutOfMemoryExceptions in processes using this package may indicate exploitation attempts.

Since the vulnerability is triggered by HTTP requests to the Azure VM instance metadata service, you can also monitor network traffic for large or abnormal responses from the metadata endpoint.

Specific commands to check the package version in a .NET project include:

  • dotnet list package | findstr OpenTelemetry.Resources.Azure

To monitor memory usage or process crashes, use system monitoring tools appropriate for your environment (e.g., Task Manager, top, or performance counters).

Mitigation Strategies

Immediate mitigation steps include disabling the Azure VM resource detector in OpenTelemetry.Resources.Azure to prevent it from making vulnerable HTTP requests.

Alternatively, implement network-level controls such as firewall rules to restrict access to the Azure VM instance metadata endpoint.

Use mutual TLS (mTLS) or a service mesh to prevent man-in-the-middle attacks on the metadata endpoint, which could be exploited to send arbitrarily large responses.

Finally, update OpenTelemetry.Resources.Azure to version 1.15.1-beta.1 or later, where the vulnerability is fixed by streaming responses and ignoring responses larger than 4 MiB.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41483. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart