Medium severity5.9NVD Advisory· Published Apr 23, 2026· Updated Apr 28, 2026
CVE-2026-41078
CVE-2026-41078
Description
OpenTelemetry dotnet is a dotnet telemetry framework. In 1.6.0-rc.1 and earlier, OpenTelemetry.Exporter.Jaeger may allow sustained memory pressure when the internal pooled-list sizing grows based on a large observed span/tag set and that enlarged size is reused for subsequent allocations. Under high-cardinality or attacker-influenced telemetry input, this can increase memory consumption and potentially cause denial of service. There is no plan to fix this issue as OpenTelemetry.Exporter.Jaeger was deprecated in 2023.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
OpenTelemetry.Exporter.JaegerNuGet | <= 1.6.0-rc.1 | — |
Affected products
6cpe:2.3:a:opentelemetry:opentelemetry:1.6.0:alpha1:*:*:*:.net:*:*+ 5 more
- cpe:2.3:a:opentelemetry:opentelemetry:1.6.0:alpha1:*:*:*:.net:*:*
- cpe:2.3:a:opentelemetry:opentelemetry:1.6.0:beta1:*:*:*:.net:*:*
- cpe:2.3:a:opentelemetry:opentelemetry:1.6.0:beta2:*:*:*:.net:*:*
- cpe:2.3:a:opentelemetry:opentelemetry:1.6.0:beta3:*:*:*:.net:*:*
- cpe:2.3:a:opentelemetry:opentelemetry:1.6.0:rc1:*:*:*:.net:*:*
- cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:.net:*:*range: <1.6.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-38h3-2333-qx47ghsaADVISORY
- github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-38h3-2333-qx47nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-41078ghsaADVISORY
News mentions
1- Introducing Flagship: feature flags built for the age of AICloudflare Blog · Apr 17, 2026