CVE-2026-42348: CWE-789: Memory Allocation with Excessive Size Value in open-telemetry opentelemetry-dotnet-contrib
CVE-2026-42348 is a medium severity vulnerability in the OpenTelemetry. OpAmp. Client component of the opentelemetry-dotnet-contrib project. Versions prior to 0. 2. 0-alpha. 1 allocate an unbounded buffer when reading HTTP responses from the OpAMP server, without limiting the size of the data consumed. This can lead to memory exhaustion if an attacker controls the OpAMP server or can intercept and modify the network traffic to send a very large response body. The vulnerability does not affect confidentiality or integrity but impacts availability due to potential denial of service via resource exhaustion. A fix was introduced in version 0.
AI Analysis
Technical Summary
The OpenTelemetry.OpAmp.Client in opentelemetry-dotnet-contrib versions before 0.2.0-alpha.1 improperly handles HTTP responses from the OpAMP server by allocating an unbounded buffer to read all bytes without an upper limit. This behavior can cause excessive memory consumption, leading to potential application crashes or denial of service if the server is malicious or the connection is intercepted and manipulated. The vulnerability is classified under CWE-789 (Memory Allocation with Excessive Size Value). The issue was fixed in version 0.2.0-alpha.1 by implementing proper limits on buffer allocation.
Potential Impact
The vulnerability allows an attacker who controls the OpAMP server or can perform a man-in-the-middle attack to cause memory exhaustion in the client application by sending an extremely large HTTP response body. This results in denial of service due to resource exhaustion. There is no impact on confidentiality or integrity of data. No known exploits have been reported in the wild.
Mitigation Recommendations
Users should upgrade to OpenTelemetry.OpAmp.Client version 0.2.0-alpha.1 or later, where this vulnerability is fixed. Since the vendor advisory does not explicitly state patch availability beyond this version, users should verify the upgrade path with the official project repositories or vendor communications. No other mitigations are specified.
CVE-2026-42348: CWE-789: Memory Allocation with Excessive Size Value in open-telemetry opentelemetry-dotnet-contrib
Description
CVE-2026-42348 is a medium severity vulnerability in the OpenTelemetry. OpAmp. Client component of the opentelemetry-dotnet-contrib project. Versions prior to 0. 2. 0-alpha. 1 allocate an unbounded buffer when reading HTTP responses from the OpAMP server, without limiting the size of the data consumed. This can lead to memory exhaustion if an attacker controls the OpAMP server or can intercept and modify the network traffic to send a very large response body. The vulnerability does not affect confidentiality or integrity but impacts availability due to potential denial of service via resource exhaustion. A fix was introduced in version 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The OpenTelemetry.OpAmp.Client in opentelemetry-dotnet-contrib versions before 0.2.0-alpha.1 improperly handles HTTP responses from the OpAMP server by allocating an unbounded buffer to read all bytes without an upper limit. This behavior can cause excessive memory consumption, leading to potential application crashes or denial of service if the server is malicious or the connection is intercepted and manipulated. The vulnerability is classified under CWE-789 (Memory Allocation with Excessive Size Value). The issue was fixed in version 0.2.0-alpha.1 by implementing proper limits on buffer allocation.
Potential Impact
The vulnerability allows an attacker who controls the OpAMP server or can perform a man-in-the-middle attack to cause memory exhaustion in the client application by sending an extremely large HTTP response body. This results in denial of service due to resource exhaustion. There is no impact on confidentiality or integrity of data. No known exploits have been reported in the wild.
Mitigation Recommendations
Users should upgrade to OpenTelemetry.OpAmp.Client version 0.2.0-alpha.1 or later, where this vulnerability is fixed. Since the vendor advisory does not explicitly state patch availability beyond this version, users should verify the upgrade path with the official project repositories or vendor communications. No other mitigations are specified.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-26T13:26:14.515Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a036fcccbff5d86100cc53c
Added to database: 5/12/2026, 6:22:04 PM
Last enriched: 5/12/2026, 6:40:11 PM
Last updated: 5/12/2026, 9:27:18 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.