Platform
dotnet
Component
opentelemetry-dotnet
Fixed in
1.6.1
1.6.1
CVE-2026-41078 describes a denial-of-service (DoS) vulnerability within the OpenTelemetry dotnet Jaeger exporter. This vulnerability arises from the exporter's memory management strategy, which can be exploited by attackers to induce sustained memory pressure. The vulnerability impacts versions 1.0.0 up to and including 1.6.0-rc.1. Due to the deprecation of the Jaeger exporter, no official fix is planned.
An attacker can exploit this vulnerability by sending a stream of telemetry data with a large number of unique tags or events (high cardinality) to the OpenTelemetry Jaeger exporter. This input triggers the exporter to allocate more memory to its internal pooled list. The enlarged size of this list is then reused for subsequent allocations, leading to a continuous increase in memory consumption. If the system lacks sufficient memory resources, this can result in a denial-of-service condition, where the application or service becomes unresponsive or crashes. The blast radius extends to any service relying on the vulnerable OpenTelemetry Jaeger exporter for telemetry collection and analysis.
This CVE was published on 2026-04-23. There are currently no known public proof-of-concept exploits for CVE-2026-41078. The vulnerability is considered informational due to the deprecation of the affected exporter. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.06% (17% percentile)
CISA SSVC
CVSS Vector
Given that no fix is planned for CVE-2026-41078 due to the deprecation of the Jaeger exporter, mitigation strategies should focus on reducing the cardinality of telemetry data before it reaches the exporter. This can be achieved by filtering out unnecessary tags and events, aggregating data at the source, or using sampling techniques to reduce the volume of telemetry. Consider migrating to alternative OpenTelemetry exporters that are actively maintained and offer more robust memory management. Monitor memory usage of the OpenTelemetry Jaeger exporter process and implement alerts to detect potential memory pressure. If feasible, roll back to a previous version of OpenTelemetry dotnet before the introduction of the vulnerable exporter, though this may introduce other compatibility issues.
Since `OpenTelemetry.Exporter.Jaeger` has been deprecated, it is recommended to migrate to a compatible and updated exporter. Verify the official OpenTelemetry documentation for instructions on how to migrate to an alternative exporter. No fix will be provided for this vulnerability due to the component's deprecation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-41078 is a denial-of-service vulnerability affecting OpenTelemetry dotnet versions 1.0.0 through 1.6.0-rc.1. High-cardinality telemetry can cause memory pressure and potential service disruption.
You are affected if you are using OpenTelemetry dotnet versions 1.0.0 through 1.6.0-rc.1 and rely on the deprecated Jaeger exporter. Assess your telemetry cardinality.
No official fix is planned due to the Jaeger exporter's deprecation. Mitigate by reducing telemetry cardinality, migrating to alternative exporters, and monitoring memory usage.
There are currently no known active exploits for CVE-2026-41078, but the vulnerability remains present in affected versions.
Refer to the OpenTelemetry documentation and release notes for information regarding the deprecation of the Jaeger exporter and the vulnerability: [https://opentelemetry.io/docs/](https://opentelemetry.io/docs/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your packages.lock.json file and we'll tell you instantly if you're affected.