Medium severity5.9NVD Advisory· Published Apr 23, 2026· Updated Apr 28, 2026
CVE-2026-41078
CVE-2026-41078
Description
OpenTelemetry dotnet is a dotnet telemetry framework. In 1.6.0-rc.1 and earlier, OpenTelemetry.Exporter.Jaeger may allow sustained memory pressure when the internal pooled-list sizing grows based on a large observed span/tag set and that enlarged size is reused for subsequent allocations. Under high-cardinality or attacker-influenced telemetry input, this can increase memory consumption and potentially cause denial of service. There is no plan to fix this issue as OpenTelemetry.Exporter.Jaeger was deprecated in 2023.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
OpenTelemetry.Exporter.JaegerNuGet | <= 1.6.0-rc.1 | — |
Affected products
7cpe:2.3:a:opentelemetry:opentelemetry:1.6.0:alpha1:*:*:*:.net:*:*+ 5 more
- cpe:2.3:a:opentelemetry:opentelemetry:1.6.0:alpha1:*:*:*:.net:*:*
- cpe:2.3:a:opentelemetry:opentelemetry:1.6.0:beta1:*:*:*:.net:*:*
- cpe:2.3:a:opentelemetry:opentelemetry:1.6.0:beta2:*:*:*:.net:*:*
- cpe:2.3:a:opentelemetry:opentelemetry:1.6.0:beta3:*:*:*:.net:*:*
- cpe:2.3:a:opentelemetry:opentelemetry:1.6.0:rc1:*:*:*:.net:*:*
- cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:.net:*:*range: <1.6.0
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-38h3-2333-qx47ghsaADVISORY
- github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-38h3-2333-qx47nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-41078ghsaADVISORY
News mentions
0No linked articles in our index yet.