{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41078", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-16T16:43:03.176Z", "datePublished": "2026-04-23T18:05:41.367Z", "dateUpdated": "2026-04-23T18:52:26.466Z"}, "containers": {"cna": {"title": "OpenTelemetry dotnet: Potential memory exhaustion via unbounded pooled-list sizing in Jaeger exporter conversion path", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-38h3-2333-qx47", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-38h3-2333-qx47"}], "affected": [{"vendor": "open-telemetry", "product": "opentelemetry-dotnet", "versions": [{"version": "<= 1.6.0-rc.1", "status": "affected"}]}, {"vendor": "open-telemetry", "product": "OpenTelemetry.Exporter.Jaeger", "versions": [{"version": "<= 1.6.0-rc.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T18:05:41.367Z"}, "descriptions": [{"lang": "en", "value": "OpenTelemetry dotnet is a dotnet telemetry framework. In 1.6.0-rc.1 and earlier, OpenTelemetry.Exporter.Jaeger may allow sustained memory pressure when the internal pooled-list sizing grows based on a large observed span/tag set and that enlarged size is reused for subsequent allocations. Under high-cardinality or attacker-influenced telemetry input, this can increase memory consumption and potentially cause denial of service. There is no plan to fix this issue as OpenTelemetry.Exporter.Jaeger was deprecated in 2023."}], "source": {"advisory": "GHSA-38h3-2333-qx47", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T18:52:04.471326Z", "id": "CVE-2026-41078", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T18:52:26.466Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41078", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-23T18:52:04.471326Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T18:52:10.472Z"}}], "cna": {"title": "OpenTelemetry dotnet: Potential memory exhaustion via unbounded pooled-list sizing in Jaeger exporter conversion path", "source": {"advisory": "GHSA-38h3-2333-qx47", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "open-telemetry", "product": "opentelemetry-dotnet", "versions": [{"status": "affected", "version": "<= 1.6.0-rc.1"}]}, {"vendor": "open-telemetry", "product": "OpenTelemetry.Exporter.Jaeger", "versions": [{"status": "affected", "version": "<= 1.6.0-rc.1"}]}], "references": [{"url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-38h3-2333-qx47", "name": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-38h3-2333-qx47", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "OpenTelemetry dotnet is a dotnet telemetry framework. In 1.6.0-rc.1 and earlier, OpenTelemetry.Exporter.Jaeger may allow sustained memory pressure when the internal pooled-list sizing grows based on a large observed span/tag set and that enlarged size is reused for subsequent allocations. Under high-cardinality or attacker-influenced telemetry input, this can increase memory consumption and potentially cause denial of service. There is no plan to fix this issue as OpenTelemetry.Exporter.Jaeger was deprecated in 2023."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T18:05:41.367Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41078", "state": "PUBLISHED", "dateUpdated": "2026-04-23T18:52:26.466Z", "dateReserved": "2026-04-16T16:43:03.176Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-23T18:05:41.367Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:.net:*:*", "matchCriteriaId": "56927593-8DEA-46DF-99FB-150F00796ED8", "versionEndExcluding": "1.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:opentelemetry:opentelemetry:1.6.0:alpha1:*:*:*:.net:*:*", "matchCriteriaId": "13631A96-4D58-461F-9264-64DBD3BAF413", "vulnerable": true}, {"criteria": "cpe:2.3:a:opentelemetry:opentelemetry:1.6.0:beta1:*:*:*:.net:*:*", "matchCriteriaId": "7D986355-87A6-4E57-9459-12F757E5773A", "vulnerable": true}, {"criteria": "cpe:2.3:a:opentelemetry:opentelemetry:1.6.0:beta2:*:*:*:.net:*:*", "matchCriteriaId": "48A81080-CF53-4EA9-A98B-55F7016D8D72", "vulnerable": true}, {"criteria": "cpe:2.3:a:opentelemetry:opentelemetry:1.6.0:beta3:*:*:*:.net:*:*", "matchCriteriaId": "624E213B-E94A-4A6E-AD8F-45F0007B6D5A", "vulnerable": true}, {"criteria": "cpe:2.3:a:opentelemetry:opentelemetry:1.6.0:rc1:*:*:*:.net:*:*", "matchCriteriaId": "AD841242-43F8-4A7D-B9DC-9BFE0953C675", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenTelemetry dotnet is a dotnet telemetry framework. In 1.6.0-rc.1 and earlier, OpenTelemetry.Exporter.Jaeger may allow sustained memory pressure when the internal pooled-list sizing grows based on a large observed span/tag set and that enlarged size is reused for subsequent allocations. Under high-cardinality or attacker-influenced telemetry input, this can increase memory consumption and potentially cause denial of service. There is no plan to fix this issue as OpenTelemetry.Exporter.Jaeger was deprecated in 2023."}], "id": "CVE-2026-41078", "lastModified": "2026-04-28T19:24:14.040", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-23T19:17:28.950", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-38h3-2333-qx47"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.6.0-rc.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "product": "opentelemetry-dotnet", "vendor": "opentelemetry"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.6.0-rc.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "OpenTelemetry.Exporter.Jaeger", "source": "cna", "vendor": "open-telemetry"}, "product": "opentelemetry.exporter.jaeger", "vendor": "opentelemetry"}], "analysis": {"en": {"generated_at": "2026-04-28T14:48:09.772245+00:00", "value": {"mitigation_remediation": ["Remove or disable the OpenTelemetry.Exporter.Jaeger from all affected deployments.", "Upgrade the opentelemetry-dotnet SDK to a release that no longer contains the Jaeger exporter or that hard\u2011limits pooled\u2011list sizing.", "If removal or upgrade is not feasible, enforce strict limits on span/tag cardinality or sanitize incoming telemetry before it reaches the exporter to prevent list growth."], "summary": {"action": "Disable Exporter", "impact": "Memory exhaustion leading to denial of service"}, "threat_synthesis": {"affected_systems": "The affected components are the OpenTelemetry.Exporter.Jaeger library and the opentelemetry-dotnet SDK, both maintained by the OpenTelemetry project. Versions 1.6.0\u2011rc.1 and earlier are vulnerable; the Jaeger exporter was deprecated in 2023, so newer releases no longer include the vulnerable code.", "description_and_impact": "The Jaeger exporter in OpenTelemetry\u00a0dotnet inflates its internal pooled\u2011list sizing based on the number of spans and tags observed. When a user or attacker supplies telemetry with very high cardinality, the list grows without bounds and the enlarged size is then reused by subsequent allocations. This sustained increase in memory consumption can deplete an application\u2019s heap and result in denial of service. The flaw is a classic unbounded allocation weakness marked as CWE\u2011770 and is present in all releases 1.6.0\u2011rc.1 and earlier.", "risk_and_exploitability": "The CVSS score of 5.9 indicates moderate severity, while the EPSS score of less than 1% reflects a very low exploitation probability at the time of analysis. The vulnerability is not listed in CISA\u2019s KEV catalog. Because the attack requires the attacker to influence the content of telemetry streams, the likely vector is an application or infrastructure component that accepts untrusted telemetry data. There is no official fix, so the risk persists until the exporter is removed or the application mitigates cardinality of telemetry."}}}}, "created": "2026-04-28T09:25:49.840092+00:00", "updated": "2026-04-28T15:00:14.491589+00:00", "vendors": ["opentelemetry", "opentelemetry$PRODUCT$opentelemetry-dotnet", "opentelemetry$PRODUCT$opentelemetry.exporter.jaeger"]}