CVE-2026-41483
BaseFortify
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in OpenTelemetry.Resources.Azure, specifically in versions 1.15.0-beta.1 and earlier. The AzureVmMetaDataRequestor class makes HTTP requests to the Azure VM instance metadata service and reads the entire response body into memory without any size limit.
An attacker who controls the configured endpoint or can intercept the traffic via a man-in-the-middle attack can send an arbitrarily large response. This causes unbounded heap allocation in the process consuming the response, which can lead to high memory usage, garbage collection delays, or an OutOfMemoryException that crashes the process.
The issue is fixed in version 1.15.1-beta.1 by streaming responses instead of buffering them fully in memory and ignoring responses larger than 4 MiB.
How can this vulnerability impact me? :
This vulnerability can cause your application or service using the affected OpenTelemetry Azure resource detector to consume excessive memory when processing metadata responses.
The excessive memory consumption can lead to high transient memory pressure, delays due to garbage collection, or even an OutOfMemoryException that terminates the process unexpectedly.
Such crashes or performance degradation can disrupt service availability and reliability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the AzureVmMetaDataRequestor class in OpenTelemetry.Resources.Azure making HTTP requests to the Azure VM instance metadata service and reading the response body without size limits. Detection would involve identifying if your system is running OpenTelemetry.Resources.Azure version 1.15.0-beta.1 or earlier.
You can check the version of the OpenTelemetry.Resources.Azure package used in your .NET applications. Additionally, monitoring for unusually high memory usage or OutOfMemoryExceptions in processes using this package may indicate exploitation attempts.
Since the vulnerability is triggered by HTTP requests to the Azure VM instance metadata service, you can also monitor network traffic for large or abnormal responses from the metadata endpoint.
Specific commands to check the package version in a .NET project include:
- dotnet list package | findstr OpenTelemetry.Resources.Azure
To monitor memory usage or process crashes, use system monitoring tools appropriate for your environment (e.g., Task Manager, top, or performance counters).
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling the Azure VM resource detector in OpenTelemetry.Resources.Azure to prevent it from making vulnerable HTTP requests.
Alternatively, implement network-level controls such as firewall rules to restrict access to the Azure VM instance metadata endpoint.
Use mutual TLS (mTLS) or a service mesh to prevent man-in-the-middle attacks on the metadata endpoint, which could be exploited to send arbitrarily large responses.
Finally, update OpenTelemetry.Resources.Azure to version 1.15.1-beta.1 or later, where the vulnerability is fixed by streaming responses and ignoring responses larger than 4 MiB.