CVE-2026-41078

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

5.9 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H                                    

Vulnerability Description

OpenTelemetry dotnet is a dotnet telemetry framework. In 1.6.0-rc.1 and earlier, OpenTelemetry.Exporter.Jaeger may allow sustained memory pressure when the internal pooled-list sizing grows based on a large observed span/tag set and that enlarged size is reused for subsequent allocations. Under high-cardinality or attacker-influenced telemetry input, this can increase memory consumption and potentially cause denial of service. There is no plan to fix this issue as OpenTelemetry.Exporter.Jaeger was deprecated in 2023.

Vulnerability Details

Published Date

April 18, 2026

Last Modified

April 28, 2026

CWE ID

CWE-770

Source

GitHub

Vendor

nuget

Product

OpenTelemetry.Exporter.Jaeger

External References

https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-38h3-2333-qx47
https://github.com/advisories/GHSA-38h3-2333-qx47

CVE-2026-41078

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment