CVE-2026-44967: CWE-789: Memory Allocation with Excessive Size Value in open-telemetry opentelemetry-cpp
OpenTelemetry-cpp is the C++ implementation of OpenTelemetry. Prior to release 1.27.0, the OTLP HTTP exporters (traces/metrics/logs) read the full HTTP response into an in-memory vector of bytes without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can MITM the exporter connection). This vulnerability is fixed in opentelemetry-cpp release 1.27.0.
AI Analysis
Technical Summary
The open-telemetry opentelemetry-cpp library versions before 1.27.0 have a vulnerability (CWE-789) where the OTLP HTTP exporters for traces, metrics, and logs read the entire HTTP response into an in-memory byte vector without imposing a size limit. This behavior can be exploited to cause memory exhaustion if the configured collector endpoint is malicious or if a network attacker can perform a man-in-the-middle attack on the exporter connection. The vulnerability is addressed in version 1.27.0 of opentelemetry-cpp.
Potential Impact
An attacker controlling the collector endpoint or able to intercept the network connection can cause the exporter to allocate excessive memory, potentially leading to denial of service due to memory exhaustion. There is no impact on confidentiality or integrity reported.
Mitigation Recommendations
Upgrade to opentelemetry-cpp version 1.27.0 or later, where this vulnerability is fixed. No other official remediation or temporary fix is documented. Until upgrading, avoid using untrusted collector endpoints or ensure network protections to prevent man-in-the-middle attacks.
CVE-2026-44967: CWE-789: Memory Allocation with Excessive Size Value in open-telemetry opentelemetry-cpp
Description
OpenTelemetry-cpp is the C++ implementation of OpenTelemetry. Prior to release 1.27.0, the OTLP HTTP exporters (traces/metrics/logs) read the full HTTP response into an in-memory vector of bytes without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can MITM the exporter connection). This vulnerability is fixed in opentelemetry-cpp release 1.27.0.
CVSS v3.1
Score 5.3medium
Affected software
pkg:github/open-telemetry/opentelemetry-cppRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The open-telemetry opentelemetry-cpp library versions before 1.27.0 have a vulnerability (CWE-789) where the OTLP HTTP exporters for traces, metrics, and logs read the entire HTTP response into an in-memory byte vector without imposing a size limit. This behavior can be exploited to cause memory exhaustion if the configured collector endpoint is malicious or if a network attacker can perform a man-in-the-middle attack on the exporter connection. The vulnerability is addressed in version 1.27.0 of opentelemetry-cpp.
Potential Impact
An attacker controlling the collector endpoint or able to intercept the network connection can cause the exporter to allocate excessive memory, potentially leading to denial of service due to memory exhaustion. There is no impact on confidentiality or integrity reported.
Mitigation Recommendations
Upgrade to opentelemetry-cpp version 1.27.0 or later, where this vulnerability is fixed. No other official remediation or temporary fix is documented. Until upgrading, avoid using untrusted collector endpoints or ensure network protections to prevent man-in-the-middle attacks.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-08T16:23:33.263Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2c2836e617e2d83487d708
Added to database: 6/12/2026, 3:39:34 PM
Last enriched: 6/12/2026, 3:56:59 PM
Last updated: 6/13/2026, 6:24:48 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.