CVE-2026-41310— OpenTelemetry .NET Zipkin exporter has unbounded remote endpoint cache leading to memory growth
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41310
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
OpenTelemetry .NET Zipkin exporter has unbounded remote endpoint cache leading to memory growth
Source: NVD (National Vulnerability Database)
Vulnerability Description
OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from span attributes. In high-cardinality scenarios, a process using Zipkin export for client or producer spans could experience avoidable memory growth under sustained unique remote endpoint values, increasing process memory usage over time and degrading availability. This issue is fixed in version 1.15.3, which introduces a bounded, thread-safe LRU cache for remote endpoints with a fixed maximum size.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
不加限制或调节的资源分配
Source: NVD (National Vulnerability Database)
Vulnerability Title
OpenTelemetry 资源管理错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
OpenTelemetry是OpenTelemetry开源的一个供应商中立的开源可观测性框架。 OpenTelemetry 1.15.2及之前版本存在资源管理错误漏洞,该漏洞源于Zipkin导出器远程端点缓存接受来自span属性的无界键增长,可能导致进程内存使用量增加并降低可用性。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| open-telemetry | opentelemetry-dotnet | <= 1.15.2 | - |
II. Public POCs for CVE-2026-41310
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41310
请登录查看更多情报信息。
Same Patch Batch · open-telemetry · 2026-05-06 · 3 CVEs total
| CVE-2026-41483 | 5.9 MEDIUM | Unbounded HTTP response body read in OpenTelemetry.Resources.Azure |
| CVE-2026-41484 | 5.3 MEDIUM | OpenTelemetry.Exporter.OneCollector vulnerable to denial of service via unbounded HTTP err |
IV. Related Vulnerabilities
Same product: opentelemetry-dotnet
- CVE-2026-41078
OpenTelemetry dotnet: Potential memory exhaustion via unboun - CVE-2026-40894
OpenTelemetry dotnet: Excessive memory allocation when parsi - CVE-2026-40891
OpenTelemetry dotnet: Unbounded `grpc-status-details-bin` pa - CVE-2026-40182
OpenTelemetry dotnet: OTLP exporter reads unbounded HTTP res - CVE-2025-27513
OpenTelemetry .NET has a Denial of Service (DoS) Vulnerabili
Same vendor: open-telemetry
- CVE-2026-41484
OpenTelemetry.Exporter.OneCollector vulnerable to denial of - CVE-2026-41483
Unbounded HTTP response body read in OpenTelemetry.Resources - CVE-2026-41433
OpenTelemetry eBPF Instrumentation: Privileged Java agent in - CVE-2026-41173
Unbounded HTTP response body read in OpenTelemetry.Sampler.A - CVE-2026-41078
OpenTelemetry dotnet: Potential memory exhaustion via unboun
Same weakness: CWE-770
- CVE-2026-42294
Argo Workflows: Unauthenticated Memory Exhaustion (DoS) in W - CVE-2026-42189
Russh: Pre-auth DoS via unbounded allocation in keyboard-int - CVE-2026-42793
Atom table exhaustion via attacker-controlled GraphQL SDL na - CVE-2026-44499
ZEBRA: Permanent Block Discovery Halt via Gossip Queue Satur - CVE-2026-44500
ZEBRA: Allocation Amplification in Inbound Network Deseriali
V. Comments for CVE-2026-41310
No comments yet