CVE-2026-41078
MEDIUM
GHSA-38h3-2333-qx47
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
Summary
> [!IMPORTANT] > There is no plan to fix this issue as OpenTelemetry.Exporter.Jaeger was deprecated in 2023. It is for informational purposes only.
OpenTelemetry.Exporter.Jaeger may allow sustained memory pressure when the internal pooled-list sizing grows based on a large observed span/tag set and that enlarged size is reused for subsequent allocations. Under high-cardinality or attacker-influenced telemetry input, this can increase memory consumption and potentially cause denial of service.
Details
The Jaeger exporter conversion path can append tag/event data into pooled list structures. In affected versions, pooled allocation sizing may be influenced by large observed payloads and reused globally across later allocations, resulting in persistent oversized rentals and elevated memory pressure. In environments where telemetry attributes/events can be influenced by untrusted input and limits are increased from defaults, this may lead to process instability or denial of service.
Impact
Availability impact only. Confidentiality and integrity impacts are not expected.
Workarounds / Mitigations
- Prefer maintained exporters (for example OpenTelemetry Protocol format (OTLP)) instead of the Jaeger exporter.
AnalysisAI
OpenTelemetry.Exporter.Jaeger allows memory exhaustion and denial of service when processing high-cardinality or attacker-influenced telemetry data due to pooled list structures that retain oversized allocations across subsequent requests. The affected .NET NuGet package may experience sustained memory pressure if telemetry attributes or events contain large payloads, particularly in environments where input originates from untrusted sources and memory limits are increased from defaults. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today