CVE-2026-39882 Overview
OpenTelemetry-Go is the Go implementation of OpenTelemetry, a popular observability framework for cloud-native software. A memory exhaustion vulnerability exists in versions prior to 1.43.0 where the OTLP HTTP exporters for traces, metrics, and logs read the full HTTP response body into an in-memory bytes.Buffer without implementing a size cap. This flaw can be exploited when the configured collector endpoint is attacker-controlled or when a network attacker can perform a man-in-the-middle attack on the exporter connection, allowing them to send arbitrarily large responses that exhaust available memory.
Critical Impact
Attackers can cause denial of service by exhausting memory on systems using OpenTelemetry-Go OTLP HTTP exporters when they control or can intercept the collector endpoint connection.
Affected Products
- OpenTelemetry-Go versions prior to 1.43.0
- OTLP HTTP exporters (traces, metrics, logs)
- Applications using go.opentelemetry.io/otel exporters with HTTP transport
Discovery Timeline
- 2026-04-08 - CVE-2026-39882 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-39882
Vulnerability Analysis
This vulnerability is classified as CWE-789 (Memory Allocation with Excessive Size Value), representing a resource exhaustion condition. The flaw exists in the OTLP HTTP exporter implementations for traces, metrics, and logs within the OpenTelemetry-Go library.
When the exporter sends telemetry data to a collector endpoint, it reads the HTTP response body into a bytes.Buffer without any upper bound on the buffer size. In normal operation, collector responses are small, but an attacker who controls the endpoint or can intercept the connection via a man-in-the-middle position can return arbitrarily large response bodies.
The adjacent network attack vector indicates that exploitation requires the attacker to be on a network segment that allows them to either control the collector endpoint or intercept traffic between the application and the legitimate collector. The high attack complexity reflects the need for specific network positioning or endpoint control.
Root Cause
The root cause is the absence of a maximum size limit when reading HTTP response bodies in the OTLP exporters. The code reads the entire response into memory using bytes.Buffer without checking or limiting the content length. This unbounded read operation allows an attacker to force the application to allocate excessive amounts of memory by simply sending large HTTP response payloads.
Attack Vector
Exploitation requires an adjacent network position where the attacker can either:
- Control the collector endpoint - If the application is misconfigured to point to an attacker-controlled endpoint, or if DNS poisoning redirects the collector hostname to the attacker's server
- Man-in-the-middle the exporter connection - If the attacker can intercept traffic between the application and the legitimate collector, they can inject large responses
The attacker sends an HTTP response with an extremely large body when the OTLP exporter attempts to send telemetry data. The exporter reads this entire response into memory without bounds checking, eventually exhausting available memory and causing the application to crash or become unresponsive.
For detailed technical information about the vulnerability mechanism, see the GitHub Security Advisory.
Detection Methods for CVE-2026-39882
Indicators of Compromise
- Abnormally high memory consumption in applications using OpenTelemetry-Go OTLP HTTP exporters
- Application crashes due to out-of-memory conditions correlated with telemetry export operations
- Unusual network traffic patterns or response sizes from collector endpoints
- Evidence of DNS poisoning or routing changes affecting collector endpoint resolution
Detection Strategies
- Monitor application memory usage patterns and alert on sudden memory growth during telemetry export operations
- Implement network monitoring to detect unusually large HTTP responses from collector endpoints
- Review application logs for out-of-memory errors or abnormal buffer allocation failures
- Use dependency scanning tools to identify OpenTelemetry-Go versions prior to 1.43.0
Monitoring Recommendations
- Deploy application performance monitoring to track memory allocation patterns in services using OpenTelemetry-Go
- Configure network intrusion detection to alert on anomalous response sizes from known collector endpoints
- Implement certificate pinning and TLS validation monitoring to detect potential MITM attempts on exporter connections
How to Mitigate CVE-2026-39882
Immediate Actions Required
- Upgrade OpenTelemetry-Go to version 1.43.0 or later immediately
- Audit collector endpoint configurations to ensure they point to trusted, properly secured endpoints
- Review network security controls to prevent man-in-the-middle attacks on telemetry traffic
- Implement resource limits (memory cgroups, container limits) as a defense-in-depth measure
Patch Information
The vulnerability is fixed in OpenTelemetry-Go version 1.43.0. The fix implements proper size limits when reading HTTP response bodies in the OTLP exporters. Organizations should update their dependencies to this version or later.
The fix was implemented in Pull Request #8108. Additional details are available in the GitHub Security Advisory GHSA-w8rr-5gcm-pp58.
Workarounds
- If upgrading is not immediately possible, ensure collector endpoints are only accessible via secure, authenticated channels
- Implement network segmentation to prevent adjacent network attacks on telemetry traffic
- Use TLS with certificate validation and pinning to prevent man-in-the-middle attacks on exporter connections
- Configure memory limits at the container or process level to prevent complete system exhaustion
# Update OpenTelemetry-Go dependency
go get go.opentelemetry.io/otel@v1.43.0
go mod tidy
# Verify the updated version
go list -m go.opentelemetry.io/otel
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
