Heap Allocation Vulnerability in OpenTelemetry Resources for Azure Environments
CVE-2026-41483

5.9MEDIUM

Key Information:

Vendor: Open-telemetry
Status: Opentelemetry-dotnet-contrib
Vendor: CVE Published:; 6 May 2026

🔔 Create Open-telemetry Vulnerability Alert

What is CVE-2026-41483?

The OpenTelemetry.Resources.Azure .NET resource detector for Azure environments is susceptible to a heap allocation vulnerability due to improper handling of HTTP responses from the Azure VM instance metadata service. In versions 1.15.0-beta.1 and earlier, the AzureVmMetaDataRequestor class allows attackers controlling the configured endpoint or those capable of intercepting traffic to deliver excessively large response bodies. This flaw results in unbounded heap allocation, causing high memory pressure, potential garbage collection stalls, or even terminating processes with an OutOfMemoryException. Users are advised to disable the Azure VM resource detector or implement network-level security measures to mitigate this risk. The vulnerability is addressed in version 1.15.1-beta.1, which streams responses rather than buffering them entirely, thus limiting memory usage and ignoring oversized responses.

Affected Version(s)

opentelemetry-dotnet-contrib <= 1.15.0-beta.1

References

https://github.com/open-telemetry/opentelemetry-dotnet-co...

x_refsource_CONFIRM

https://github.com/open-telemetry/opentelemetry-dotnet-co...

x_refsource_MISC

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41483 Data

JSON