CVE-2026-41078 Overview
OpenTelemetry .NET is a telemetry framework for .NET applications. A memory exhaustion vulnerability exists in OpenTelemetry.Exporter.Jaeger version 1.6.0-rc.1 and earlier that can lead to denial of service conditions. The vulnerability stems from how the internal pooled-list sizing mechanism handles large span/tag sets, where the enlarged allocation size is reused for subsequent allocations without proper bounds management.
Critical Impact
Under high-cardinality or attacker-influenced telemetry input, this vulnerability can cause sustained memory pressure, leading to increased memory consumption and potential denial of service. The deprecated status of OpenTelemetry.Exporter.Jaeger means no fix will be released.
Affected Products
- OpenTelemetry.Exporter.Jaeger version 1.6.0-rc.1 and earlier
- Applications using the deprecated Jaeger exporter component
- .NET applications with high-cardinality telemetry configurations
Discovery Timeline
- April 23, 2026 - CVE-2026-41078 published to NVD
- April 23, 2026 - Last updated in NVD database
Technical Details for CVE-2026-41078
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The issue manifests in the internal memory pooling mechanism of the Jaeger exporter component, where pooled-list structures grow dynamically based on observed span and tag set sizes without implementing appropriate size limits or cleanup procedures.
When the exporter processes telemetry data with large span or tag sets, the internal pooled-list grows to accommodate this data. The critical flaw is that this enlarged memory allocation persists and is reused for subsequent allocations, even when smaller allocations would suffice. Over time, especially under conditions with high-cardinality input or attacker-controlled telemetry data, this leads to cumulative memory consumption that degrades application performance and can ultimately cause denial of service.
The network-based attack vector with high attack complexity indicates that while exploitation requires network access, specific conditions must be met for successful exploitation, such as the ability to influence telemetry data or sustained high-cardinality input patterns.
Root Cause
The root cause lies in improper resource management within the OpenTelemetry.Exporter.Jaeger component's memory pooling implementation. Specifically, the pooled-list data structure lacks:
- Maximum size limits for pooled allocations
- Automatic shrinking or cleanup of oversized pool entries
- Memory pressure detection and mitigation
When a large span or tag set is processed, the pool expands to accommodate it. However, the implementation fails to reduce the allocation size when smaller data sets are subsequently processed, causing the inflated memory footprint to persist indefinitely.
Attack Vector
An attacker with the ability to influence telemetry data can exploit this vulnerability by injecting high-cardinality telemetry input. This could occur through:
- Direct telemetry injection: If an attacker can submit telemetry data to an application using the vulnerable exporter
- High-cardinality data manipulation: Generating requests that result in spans with unusually large tag sets
- Sustained resource pressure: Repeatedly triggering large allocations to progressively exhaust available memory
The attack requires network access and the ability to influence telemetry data either directly or indirectly through application functionality that generates telemetry. The high attack complexity reflects the need for specific conditions and sustained effort to achieve denial of service.
The vulnerability mechanism involves the pooled-list sizing behavior where memory allocations grow based on observed data but fail to shrink, leading to resource exhaustion. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-41078
Indicators of Compromise
- Unusual memory growth patterns in applications using OpenTelemetry Jaeger exporter
- Progressively increasing memory consumption without corresponding workload increase
- Application performance degradation over time correlating with telemetry processing
- Out-of-memory exceptions or crashes in long-running applications
Detection Strategies
- Monitor application memory metrics for sustained growth patterns indicative of memory leaks or exhaustion
- Implement alerting on memory utilization thresholds for applications using OpenTelemetry.Exporter.Jaeger
- Review application dependencies for presence of deprecated Jaeger exporter packages
- Analyze garbage collection metrics for abnormal allocation patterns
Monitoring Recommendations
- Enable memory profiling for applications using OpenTelemetry .NET exporters
- Configure memory utilization alerts at 70%, 85%, and 95% thresholds
- Monitor telemetry cardinality metrics to identify unusually high-cardinality span or tag patterns
- Implement application health checks that include memory pressure indicators
How to Mitigate CVE-2026-41078
Immediate Actions Required
- Migrate from the deprecated OpenTelemetry.Exporter.Jaeger to supported OTLP exporters
- Review and update application telemetry configurations to use OpenTelemetry.Exporter.OpenTelemetryProtocol
- Implement input validation and cardinality limits for user-influenced telemetry data
- Configure memory limits and resource constraints for affected applications
Patch Information
No patch will be released for this vulnerability as OpenTelemetry.Exporter.Jaeger was deprecated in 2023. The official recommendation is to migrate to the OpenTelemetry Protocol (OTLP) exporter, which is the actively maintained and supported exporter for OpenTelemetry .NET.
Migration guidance is available in the GitHub Security Advisory.
Workarounds
- Replace OpenTelemetry.Exporter.Jaeger with OpenTelemetry.Exporter.OpenTelemetryProtocol in application dependencies
- Implement application-level memory constraints using container orchestration or runtime configuration
- Apply rate limiting to telemetry data sources that could be influenced by external actors
- Configure cardinality limits on span attributes and tags to prevent oversized allocations
# Configuration example - Migrate to OTLP Exporter
# Remove deprecated Jaeger exporter
dotnet remove package OpenTelemetry.Exporter.Jaeger
# Install OTLP exporter
dotnet add package OpenTelemetry.Exporter.OpenTelemetryProtocol
# Configure OTLP endpoint in application settings
# Set OTEL_EXPORTER_OTLP_ENDPOINT environment variable
export OTEL_EXPORTER_OTLP_ENDPOINT="http://your-collector:4317"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
