CVE-2026-39882: CWE-789: Memory Allocation with Excessive Size Value in open-telemetry opentelemetry-go
CVE-2026-39882 is a medium severity vulnerability in the open-telemetry opentelemetry-go library prior to version 1. 43. 0. The issue involves the otlp HTTP exporters reading the full HTTP response body into an in-memory buffer without limiting its size. This can lead to memory exhaustion if the collector endpoint is attacker-controlled or if a network attacker can intercept and manipulate the connection. The vulnerability is fixed in version 1. 43. 0.
AI Analysis
Technical Summary
The open-telemetry opentelemetry-go library versions before 1.43.0 contain a memory allocation vulnerability (CWE-789) in the otlp HTTP exporters for traces, metrics, and logs. These exporters read the entire HTTP response body into an unbounded bytes.Buffer, which can be exploited to cause memory exhaustion when communicating with a malicious or compromised collector endpoint or via a man-in-the-middle attack. This vulnerability has a CVSS 3.1 base score of 5.3, reflecting a medium severity impact primarily on availability. The issue is resolved in version 1.43.0 of the library.
Potential Impact
Successful exploitation can cause memory exhaustion on systems using vulnerable versions of opentelemetry-go, potentially leading to denial of service due to resource depletion. There is no impact on confidentiality or integrity according to the CVSS vector. The attack requires network access to the configured collector endpoint or the ability to intercept and modify exporter communications.
Mitigation Recommendations
Upgrade to opentelemetry-go version 1.43.0 or later, where this vulnerability is fixed. Since no official patch link or advisory is provided, users should verify the version upgrade as the remediation. Patch status is confirmed by the vendor stating the fix is included in version 1.43.0. Until upgraded, avoid using untrusted or attacker-controlled collector endpoints and secure network communications to prevent man-in-the-middle attacks.
CVE-2026-39882: CWE-789: Memory Allocation with Excessive Size Value in open-telemetry opentelemetry-go
Description
CVE-2026-39882 is a medium severity vulnerability in the open-telemetry opentelemetry-go library prior to version 1. 43. 0. The issue involves the otlp HTTP exporters reading the full HTTP response body into an in-memory buffer without limiting its size. This can lead to memory exhaustion if the collector endpoint is attacker-controlled or if a network attacker can intercept and manipulate the connection. The vulnerability is fixed in version 1. 43. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The open-telemetry opentelemetry-go library versions before 1.43.0 contain a memory allocation vulnerability (CWE-789) in the otlp HTTP exporters for traces, metrics, and logs. These exporters read the entire HTTP response body into an unbounded bytes.Buffer, which can be exploited to cause memory exhaustion when communicating with a malicious or compromised collector endpoint or via a man-in-the-middle attack. This vulnerability has a CVSS 3.1 base score of 5.3, reflecting a medium severity impact primarily on availability. The issue is resolved in version 1.43.0 of the library.
Potential Impact
Successful exploitation can cause memory exhaustion on systems using vulnerable versions of opentelemetry-go, potentially leading to denial of service due to resource depletion. There is no impact on confidentiality or integrity according to the CVSS vector. The attack requires network access to the configured collector endpoint or the ability to intercept and modify exporter communications.
Mitigation Recommendations
Upgrade to opentelemetry-go version 1.43.0 or later, where this vulnerability is fixed. Since no official patch link or advisory is provided, users should verify the version upgrade as the remediation. Patch status is confirmed by the vendor stating the fix is included in version 1.43.0. Until upgraded, avoid using untrusted or attacker-controlled collector endpoints and secure network communications to prevent man-in-the-middle attacks.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-07T20:32:03.010Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d6bfa81cc7ad14dab01ab8
Added to database: 4/8/2026, 8:50:48 PM
Last enriched: 4/16/2026, 12:11:58 PM
Last updated: 5/24/2026, 1:51:09 AM
Views: 88
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.