CVE-2026-41310: CWE-770: Allocation of Resources Without Limits or Throttling in open-telemetry opentelemetry-dotnet
OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from span attributes. In high-cardinality scenarios, a process using Zipkin export for client or producer spans could experience avoidable memory growth under sustained unique remote endpoint values, increasing process memory usage over time and degrading availability. This issue is fixed in version 1.15.3, which introduces a bounded, thread-safe LRU cache for remote endpoints with a fixed maximum size.
AI Analysis
Technical Summary
The OpenTelemetry.Exporter.Zipkin component in opentelemetry-dotnet versions up to 1.15.2 suffers from unbounded resource allocation in its remote endpoint cache. This cache accepts keys derived from span attributes without limits, leading to uncontrolled memory growth under sustained high-cardinality conditions. This can degrade application availability due to increased memory usage. The issue is addressed in version 1.15.3 by implementing a bounded, thread-safe Least Recently Used (LRU) cache with a fixed maximum size to limit memory consumption.
Potential Impact
This vulnerability can cause increased memory usage and potential degradation of availability in processes using the Zipkin exporter for client or producer spans under high-cardinality conditions. There is no impact on confidentiality or integrity. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade to opentelemetry-dotnet version 1.15.3 or later, which includes a fix by introducing a bounded, thread-safe LRU cache for remote endpoints. Patch status is not explicitly confirmed in the vendor advisory, but the fix is included in version 1.15.3. Until upgraded, users may experience memory growth under certain conditions.
CVE-2026-41310: CWE-770: Allocation of Resources Without Limits or Throttling in open-telemetry opentelemetry-dotnet
Description
OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from span attributes. In high-cardinality scenarios, a process using Zipkin export for client or producer spans could experience avoidable memory growth under sustained unique remote endpoint values, increasing process memory usage over time and degrading availability. This issue is fixed in version 1.15.3, which introduces a bounded, thread-safe LRU cache for remote endpoints with a fixed maximum size.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The OpenTelemetry.Exporter.Zipkin component in opentelemetry-dotnet versions up to 1.15.2 suffers from unbounded resource allocation in its remote endpoint cache. This cache accepts keys derived from span attributes without limits, leading to uncontrolled memory growth under sustained high-cardinality conditions. This can degrade application availability due to increased memory usage. The issue is addressed in version 1.15.3 by implementing a bounded, thread-safe Least Recently Used (LRU) cache with a fixed maximum size to limit memory consumption.
Potential Impact
This vulnerability can cause increased memory usage and potential degradation of availability in processes using the Zipkin exporter for client or producer spans under high-cardinality conditions. There is no impact on confidentiality or integrity. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade to opentelemetry-dotnet version 1.15.3 or later, which includes a fix by introducing a bounded, thread-safe LRU cache for remote endpoints. Patch status is not explicitly confirmed in the vendor advisory, but the fix is included in version 1.15.3. Until upgraded, users may experience memory growth under certain conditions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-20T14:01:46.670Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fbb106cbff5d8610650ae3
Added to database: 5/6/2026, 9:22:14 PM
Last enriched: 5/6/2026, 9:36:42 PM
Last updated: 5/7/2026, 1:43:53 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.