Skip to main content

Canonical CVE-2026-29181

| EUVDEUVD-2026-19938 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-04-07 https://github.com/open-telemetry/opentelemetry-go GHSA-mh2q-q3fh-2475
7.5
CVSS 3.1 · Vendor: https://github.com/open-telemetry/opentelemetry-go
Share

Severity by source

Vendor (https://github.com/open-telemetry/opentelemetry-go) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (https://github.com/open-telemetry/opentelemetry-go).

CVSS VectorVendor: https://github.com/open-telemetry/opentelemetry-go

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
EUVD ID Assigned
Apr 07, 2026 - 20:16 euvd
EUVD-2026-19938
Analysis Generated
Apr 07, 2026 - 20:16 vuln.today
Patch released
Apr 07, 2026 - 20:16 nvd
Patch available
CVE Published
Apr 07, 2026 - 20:12 nvd
HIGH 7.5

DescriptionCVE.org

multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. this allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit.

severity

HIGH (availability / remote request amplification)

relevant links

  • repository: https://github.com/open-telemetry/opentelemetry-go
  • pinned callsite: https://github.com/open-telemetry/opentelemetry-go/blob/1ee4a4126dbdd1bc79e9fae072fa488beffac52a/propagation/baggage.go#L58

vulnerability details

pins: open-telemetry/opentelemetry-go@1ee4a4126dbdd1bc79e9fae072fa488beffac52a as-of: 2026-02-04 policy: direct (no program scope provided)

callsite: propagation/baggage.go:58 (extractMultiBaggage) attacker control: inbound HTTP request headers (many baggage field-values) → propagation.HeaderCarrier.Values("baggage") → repeated baggage.Parse + member aggregation

root cause

extractMultiBaggage iterates over all baggage header field-values and parses each one independently, then appends members into a shared slice. the 8192-byte parsing cap applies per header value, but the multi-value path repeats that work once per header line (bounded only by the server/proxy header byte limit).

impact

in a default net/http configuration (max header bytes 1mb), a single request with many baggage: header field-values can cause large per-request allocations and increased latency.

example from the attached PoC harness (darwin/arm64; 80 values; 40 requests):

  • canonical: per_req_alloc_bytes=10315458 and p95_ms=7
  • control: per_req_alloc_bytes=133429 and p95_ms=0

proof of concept

canonical:

bash
mkdir -p poc
unzip poc.zip -d poc
cd poc
make test

output (excerpt):

[CALLSITE_HIT]: propagation/baggage.go:58 extractMultiBaggage
[PROOF_MARKER]: baggage_multi_value_amplification p95_ms=7 per_req_alloc_bytes=10315458 per_req_allocs=16165

control:

bash
cd poc
make control

control output (excerpt):

[NC_MARKER]: baggage_single_value_baseline p95_ms=0 per_req_alloc_bytes=133429 per_req_allocs=480

expected: multiple baggage header field-values should be semantically equivalent to a single comma-joined baggage value and should not multiply parsing/alloc work within the effective header byte budget. actual: multiple baggage header field-values trigger repeated parsing and member aggregation, causing high per-request allocations and increased latency even when each individual value is within 8192 bytes.

fix recommendation

avoid repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing. one mitigation approach is to treat multi-values as a single comma-joined string and cap total parsed bytes (for example 8192 bytes total).

fix accepted when: under the default PoC harness settings, canonical stays within 2x of control for per_req_alloc_bytes and per_req_allocs, and p95_ms stays below 2ms.

poc.zip PR_DESCRIPTION.md

AnalysisAI

Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger severe CPU and memory amplification via crafted HTTP baggage headers. The vulnerability allows unauthenticated attackers to send multiple baggage header lines that bypass the 8192-byte per-value parse limit by triggering repeated parsing operations - achieving 77x memory amplification (10.3MB vs 133KB per request) in vendor-provided proof-of-concept testing. Vendor-released patch available in v1.41.0. EPSS data not available; no confirmed active exploitation (not in CISA KEV); publicly available exploit code exists (vendor-provided PoC demonstrating 77x amplification).

Technical ContextAI

OpenTelemetry Go's baggage propagation implementation (go.opentelemetry.io/otel/propagation) extracts W3C Baggage headers from HTTP requests to propagate distributed tracing context. The vulnerable code path in propagation/baggage.go:58 (extractMultiBaggage function) processes HTTP multi-value headers by iterating through each baggage header field independently, parsing each value through baggage.Parse and aggregating members across all values. While individual header values are subject to an 8192-byte parse limit, the function does not enforce a global budget across multiple header lines. This design flaw maps to CWE-400 (Uncontrolled Resource Consumption) - specifically an algorithmic complexity issue where attacker-controlled input multiplicity (number of header lines) directly multiplies computational work. Within net/http's default 1MB header size limit, an attacker can send approximately 120+ baggage header lines, each triggering full parse and allocation cycles, resulting in quadratic resource consumption relative to a single comma-joined header value that would be semantically equivalent per the W3C Baggage specification.

RemediationAI

Upgrade to OpenTelemetry Go v1.41.0 or later, which contains the fix in commit aa1894e09e3fe66860c7885cb40f98901b35277f per https://github.com/open-telemetry/opentelemetry-go/pull/7880. The patch enforces a global parsing budget across multi-value baggage headers by normalizing multiple header field-values into a single comma-joined string before parsing, ensuring that attacker-controlled header multiplicity cannot amplify resource consumption beyond the 8192-byte total limit. For applications unable to immediately upgrade, implement workarounds at the HTTP ingress layer: configure reverse proxies or API gateways to limit the number of baggage header lines per request (e.g., reject requests with more than 3-5 baggage headers) or enforce stricter total header size limits below the 1MB net/http default. Review server resource limits and monitoring to detect amplification attacks in progress. Vendor advisory and release notes available at https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.41.0.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2026-33309 CRITICAL POC
9.9 Mar 19

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar

CVE-2019-7304 CRITICAL POC
9.8 Apr 23

Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra

CVE-2026-33186 CRITICAL POC
9.1 Mar 18

An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT

CVE-2026-50180 HIGH POC
8.7 Jul 02

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi

CVE-2020-14966 HIGH POC
7.5 Jun 22

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner

CVE-2020-13822 HIGH POC
7.7 Jun 04

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte

CVE-2019-7303 HIGH POC
7.5 Apr 23

A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char

CVE-2014-4699 MEDIUM POC
6.9 Jul 09

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-48816 MEDIUM POC
6.5 Jul 01

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w

CVE-2022-24899 MEDIUM POC
6.1 May 06

Contao is a powerful open source CMS that allows you to create professional websites and scalable web applications. Rate

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise Module for Containers 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected

Share

CVE-2026-29181 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy