Plattform
dotnet
Komponente
opentelemetry-dotnet
Behoben in
1.6.1
1.6.1
CVE-2026-41078 describes a denial-of-service (DoS) vulnerability within the OpenTelemetry dotnet library, specifically impacting the deprecated OpenTelemetry.Exporter.Jaeger component. An attacker can trigger excessive memory consumption by sending telemetry data with high cardinality (many unique tags or events), potentially leading to application instability or crashes. This vulnerability affects versions 1.0.0 up to and including 1.6.0-rc.1; however, a fix is not planned due to the component's deprecation.
The primary impact of CVE-2026-41078 is a denial-of-service condition. An attacker capable of influencing the telemetry data sent to the OpenTelemetry Jaeger exporter can craft payloads that cause the internal pooled-list sizing to grow excessively. This enlarged size is then reused for subsequent memory allocations, leading to a sustained memory pressure. The severity stems from the potential for complete application failure, especially in resource-constrained environments. While the Jaeger exporter is deprecated, it may still be in use within existing deployments, making this a potential risk for organizations transitioning away from it. The blast radius is limited to applications using the vulnerable exporter and their underlying infrastructure.
This CVE was publicly disclosed on 2026-04-23. There is no indication of active exploitation at this time. The vulnerability is not listed on the CISA KEV catalog. The lack of a planned fix suggests a lower probability of exploitation, but the potential for DoS remains a concern, especially for legacy systems still relying on the deprecated Jaeger exporter. Public proof-of-concept code is not currently available.
Organizations using OpenTelemetry dotnet versions 1.0.0 through 1.6.0-rc.1 for telemetry collection and analysis, particularly those relying on the deprecated Jaeger exporter, are at risk. Systems with limited memory resources are especially vulnerable to DoS attacks.
• dotnet / memory: Use dotnet-counters to monitor memory usage of the OpenTelemetry Jaeger exporter process. Look for sustained increases in memory allocation.
dotnet-counters -m OpenTelemetry.Exporter.Jaeger• dotnet / telemetry: Analyze telemetry data for unusually high cardinality (number of unique tags/events). Implement logging and monitoring to track the size and composition of telemetry payloads. • generic / system: Monitor system memory usage. High memory utilization by the OpenTelemetry process could indicate exploitation.
top -cdisclosure
Exploit-Status
EPSS
0.06% (17% Perzentil)
CISA SSVC
CVSS-Vektor
Given that a fix is not planned for CVE-2026-41078, the primary mitigation strategy is to avoid using the deprecated OpenTelemetry.Exporter.Jaeger component entirely. Organizations should migrate to supported OpenTelemetry exporters as soon as possible. If immediate migration is not feasible, consider limiting the cardinality of telemetry data sent to the Jaeger exporter through filtering or aggregation techniques. While not a direct mitigation, monitoring memory usage of the application and setting appropriate resource limits (e.g., container memory limits) can help prevent complete outages. After migrating away from the Jaeger exporter, confirm by verifying that the application no longer utilizes the component and that telemetry data is being sent to a supported exporter.
Da OpenTelemetry.Exporter.Jaeger als veraltet markiert wurde, wird empfohlen, zu einem kompatiblen und aktualisierten Exporteur zu migrieren. Überprüfen Sie die offizielle OpenTelemetry-Dokumentation für Anweisungen zur Migration zu einem alternativen Exporteur. Für diese Schwachstelle wird kein Fix bereitgestellt, da der Komponente als veraltet markiert wurde.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-41078 is a denial-of-service vulnerability affecting OpenTelemetry dotnet versions 1.0.0 through 1.6.0-rc.1. High-cardinality telemetry can cause memory pressure and potential service disruption.
You are affected if you are using OpenTelemetry dotnet versions 1.0.0 through 1.6.0-rc.1 and rely on the deprecated Jaeger exporter. Assess your telemetry cardinality.
No official fix is planned due to the Jaeger exporter's deprecation. Mitigate by reducing telemetry cardinality, migrating to alternative exporters, and monitoring memory usage.
There are currently no known active exploits for CVE-2026-41078, but the vulnerability remains present in affected versions.
Refer to the OpenTelemetry documentation and release notes for information regarding the deprecation of the Jaeger exporter and the vulnerability: [https://opentelemetry.io/docs/](https://opentelemetry.io/docs/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine packages.lock.json-Datei hoch und wir sagen dir sofort, ob du betroffen bist.