OpenTelemetry Zipkin Exporter CVE-2026-41310
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
The Zipkin exporter remote endpoint cache accepted unbounded key growth derived from span attributes. In high-cardinality scenarios, this could increase process memory usage over time and degrade availability.
Details
- Introduce a bounded, thread-safe LRU cache for remote endpoints.
- Enforce fixed maximum size to prevent unbounded growth.
Impact
- A process using Zipkin export for client/producer spans could experience avoidable memory growth under sustained unique remote endpoint values.
Resources
AnalysisAI
OpenTelemetry's Zipkin exporter for .NET allows unauthenticated remote attackers to trigger denial of service by sending spans with high-cardinality remote endpoint attributes, causing unbounded memory growth in the remote endpoint cache and eventual process degradation. CVSS 5.3 (network-accessible, low complexity). Patch available from vendor; no active exploitation identified.
Technical ContextAI
The OpenTelemetry Zipkin exporter (NuGet package opentelemetry.exporter.zipkin) maintains an in-memory cache of remote endpoint values derived from span attributes. In distributed tracing, spans may contain remote endpoint information (e.g., target service addresses). The vulnerability arises from CWE-400 (uncontrolled resource consumption): the cache accepted unbounded key growth without size limits, allowing an attacker to craft or inject spans with unique remote endpoint values. Each new unique endpoint value added a new cache entry, consuming heap memory indefinitely. Under sustained high-cardinality workloads (many unique endpoint combinations), this causes memory exhaustion and process unavailability. The fix implements a bounded, thread-safe LRU (Least Recently Used) cache with a fixed maximum size, preventing unbounded growth.
RemediationAI
Upgrade to the patched version of OpenTelemetry.Exporter.Zipkin released by the OpenTelemetry .NET maintainers following PR #7081 (commit c724f4bd6fd88e9a599af1668bf7af9487155b62). Refer to the GitHub advisory (https://github.com/advisories/GHSA-88hf-wf7h-7w4m) for the exact version number and NuGet package release details. If immediate patching is not feasible, apply defense-in-depth controls: validate and limit the cardinality of remote endpoint attributes in incoming spans before they reach the Zipkin exporter (e.g., implement span sampling or attribute filtering in the OpenTelemetry pipeline), restrict network access to span ingestion endpoints to trusted clients only, and monitor process memory usage to detect early signs of exhaustion. Monitor the OpenTelemetry project releases (https://github.com/open-telemetry/opentelemetry-dotnet/releases) for official patched version availability.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-88hf-wf7h-7w4m