Unbounded Buffer Vulnerability in OpenTelemetry .NET Client by OpenTelemetry
CVE-2026-42348

5.9MEDIUM

Key Information:

Vendor: Open-telemetry
Status: Opentelemetry-dotnet-contrib
Vendor: CVE Published:; 12 May 2026

🔔 Create Open-telemetry Vulnerability Alert

What is CVE-2026-42348?

The OpenTelemetry.OpAmp.Client, a component for .NET, has a vulnerability that allows an unbounded buffer allocation when processing HTTP responses from the OpAMP server. This occurs when the client receives responses containing an excessively large body, leading to potential memory exhaustion if the server is compromised or if a man-in-the-middle attacker interferes with the connection. The issue has been resolved in version 0.2.0-alpha.1, addressing the risk of memory issues from unregulated data allocation.

Affected Version(s)

opentelemetry-dotnet-contrib < 0.2.0-alpha.1

References

https://github.com/open-telemetry/opentelemetry-dotnet-co...

x_refsource_CONFIRM

https://github.com/open-telemetry/opentelemetry-dotnet-co...

x_refsource_MISC

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42348 Data

JSON