CVE-2026-41484
Memory Exhaustion in OpenTelemetry Exporter
Publication date: 2026-05-06
Last updated on: 2026-05-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opentelemetry | exporter_onecollector | to 1.15.1 (exc) |
| opentelemetry | exporter_onecollector | 1.15.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unbounded memory allocation when the OpenTelemetry.Exporter.OneCollector receives large HTTP 4xx or 5xx response bodies. Detection can focus on monitoring the affected process for symptoms such as high transient memory usage, garbage collection stalls, or OutOfMemoryExceptions.
To detect this on your system, you can monitor the memory usage of the process running the OpenTelemetry.Exporter.OneCollector. For example, on Linux systems, you can use commands like:
- ps aux --sort=-rss | grep <process_name> # To check memory usage of the process
- top or htop # Interactive tools to monitor memory and CPU usage
- dmesg | grep -i oom # To check for OutOfMemory kill events
Additionally, network-level detection can include monitoring HTTP responses from the configured back-end or collector endpoint for unusually large 4xx or 5xx response bodies, which might indicate an attempt to exploit this vulnerability.
Since the vulnerability is triggered by large error response bodies, implementing network-level controls such as firewall rules, mTLS, or service mesh can help prevent exploitation.
Can you explain this vulnerability to me?
The vulnerability exists in OpenTelemetry.Exporter.OneCollector versions 1.15.0 and earlier, specifically in the HttpJsonPostTransport class. When a request to the configured back-end or collector results in an unsuccessful HTTP 4xx or 5xx response, the class reads the entire response body into memory without any limit on size.
An attacker who controls the endpoint or can intercept traffic (via a man-in-the-middle attack) can send an arbitrarily large response body. This causes unbounded memory allocation in the process consuming the response, which can lead to high memory pressure, garbage collection delays, or an OutOfMemoryException that crashes the process.
How can this vulnerability impact me? :
This vulnerability can cause your application or service using OpenTelemetry.Exporter.OneCollector to consume excessive memory when handling error responses from the configured back-end or collector.
The unbounded memory consumption can lead to performance degradation due to garbage collection stalls or even cause the process to terminate unexpectedly with an OutOfMemoryException.
Such crashes or performance issues can disrupt telemetry data export, potentially impacting monitoring and observability of your systems.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, use network-level controls such as firewall rules, mutual TLS (mTLS), or a service mesh to prevent man-in-the-middle attacks on the configured back-end or collector endpoint.
Additionally, upgrade OpenTelemetry.Exporter.OneCollector to version 1.15.1 or later, which includes a fix that limits the number of bytes read from the response body in an error condition to 4 MiB.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.