Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-44967— opentelemetry-cpp: OTLP HTTP exporters read unbounded HTTP response

CVSS 5.3 · Medium EPSS 0.21% · P11

Possible ATT&CK Techniques 1AI

T1496 · Resource Hijacking

Affected Version Matrix 1

VendorProductVersion RangeStatus
open-telemetryopentelemetry-cpp< 1.27.0affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-44967

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
opentelemetry-cpp: OTLP HTTP exporters read unbounded HTTP response
Source: NVD (National Vulnerability Database)
Vulnerability Description
OpenTelemetry-cpp is the C++ implementation of OpenTelemetry. Prior to release 1.27.0, the OTLP HTTP exporters (traces/metrics/logs) read the full HTTP response into an in-memory vector of bytes without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can MITM the exporter connection). This vulnerability is fixed in opentelemetry-cpp release 1.27.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
未经控制的内存分配
Source: NVD (National Vulnerability Database)
Vulnerability Title
OpenTelemetry C++ 资源管理错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
OpenTelemetry C++是OpenTelemetry团队的一款用于收集和导出遥测数据的服务器端支撑软件。 OpenTelemetry C++ 1.27.0之前版本存在资源管理错误漏洞,该漏洞源于OTLP HTTP导出器将完整的HTTP响应读入内存字节向量且无大小限制,可能导致在配置的收集器端点被攻击者控制时引发内存耗尽。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
open-telemetryopentelemetry-cpp < 1.27.0 -

II. Public POCs for CVE-2026-44967

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-44967

登录查看更多情报信息。

Patches & Fixes for CVE-2026-44967 (1)

Vendor Advisories for CVE-2026-44967 (2)

Proof of Concept for CVE-2026-44967 (1)

IV. Related Vulnerabilities

V. Comments for CVE-2026-44967

No comments yet


Leave a comment