Memory Growth Vulnerability in OpenTelemetry .NET Zipkin Exporter
CVE-2026-41310

5.3MEDIUM

Key Information:

Vendor: Open-telemetry
Status: Opentelemetry-dotnet
Vendor: CVE Published:; 6 May 2026

🔔 Create Open-telemetry Vulnerability Alert

What is CVE-2026-41310?

A resource exhaustion vulnerability exists in OpenTelemetry's .NET Zipkin exporter that allows unbounded key growth in the remote endpoint cache due to span attributes. In scenarios with high cardinality, this can lead to increased memory usage over time as unique remote endpoint values accumulate. This degradation affects system performance and availability. Version 1.15.3 addresses this issue by implementing a fixed-size, thread-safe least-recently-used (LRU) cache for remote endpoints, preventing excessive memory growth and ensuring better resource management.

Affected Version(s)

opentelemetry-dotnet <= 1.15.2

References

https://github.com/open-telemetry/opentelemetry-dotnet/se...

x_refsource_CONFIRM

https://github.com/open-telemetry/opentelemetry-dotnet/pu...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41310 Data

JSON