CVE-2026-41310 Overview
CVE-2026-41310 affects the OpenTelemetry .NET Zipkin exporter (OpenTelemetry.Exporter.Zipkin) in versions 1.15.2 and earlier. The exporter caches remote endpoint data derived from span attributes without bounding cache key growth. Applications generating high-cardinality client or producer spans accumulate cache entries indefinitely, increasing process memory usage over time. The flaw is classified under CWE-400 (Uncontrolled Resource Consumption). Maintainers fixed the issue in version 1.15.3 by introducing a bounded, thread-safe Least Recently Used (LRU) cache with a fixed maximum size.
Critical Impact
Sustained unique remote endpoint values can exhaust process memory, degrading availability of .NET services that export telemetry through Zipkin.
Affected Products
- OpenTelemetry .NET Zipkin Exporter (OpenTelemetry.Exporter.Zipkin) versions ≤ 1.15.2
- .NET applications using Zipkin export for client spans
- .NET applications using Zipkin export for producer spans
Discovery Timeline
- 2026-05-06 - CVE-2026-41310 published to the National Vulnerability Database (NVD)
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-41310
Vulnerability Analysis
The Zipkin exporter maintains a cache that maps span attribute values to remote endpoint objects. The cache implementation accepts unbounded growth of cache keys derived directly from span attributes. When applications generate spans containing high-cardinality attribute values, such as unique request identifiers, customer identifiers, or dynamic URLs, each unique value produces a new cache entry.
Client spans and producer spans are particularly affected because their remote endpoint values often derive from request-specific data. Long-running services experience steady memory growth as the cache retains every unique key encountered. The application process eventually consumes excessive memory, triggering garbage collection pressure, paging, or out-of-memory termination.
Root Cause
The root cause is missing bounds enforcement on the remote endpoint cache. The original implementation lacked an eviction policy, allowing the cache to grow proportionally to the number of unique remote endpoint values observed during the process lifetime. Version 1.15.3 replaces this structure with a thread-safe LRU cache that enforces a fixed maximum size and evicts least recently used entries.
Attack Vector
An attacker with the ability to influence span attribute values can amplify memory growth by generating requests that produce unique remote endpoint values. The vulnerability is reachable over the network because the attacker only needs to drive instrumented operations on the target service. No authentication or user interaction is required. The result is reduced availability rather than data compromise.
The vulnerability mechanism is described in the GitHub Security Advisory GHSA-88hf-wf7h-7w4m and the corresponding fix is implemented in Pull Request #7081.
Detection Methods for CVE-2026-41310
Indicators of Compromise
- Steady, monotonic growth of working set or private bytes in .NET processes that export to Zipkin
- Increasing managed heap size attributable to OpenTelemetry.Exporter.Zipkin allocations
- Rising garbage collection frequency and Gen2 collection counts in services using Zipkin export
- Out-of-memory exceptions or process restarts correlated with sustained span throughput
Detection Strategies
- Inventory .NET applications and identify those referencing OpenTelemetry.Exporter.Zipkin at version 1.15.2 or earlier
- Profile managed heap snapshots to confirm retained objects originate from the Zipkin exporter remote endpoint cache
- Correlate memory growth with span cardinality metrics for client and producer span types
Monitoring Recommendations
- Track per-process memory metrics with thresholds aligned to expected workload baselines
- Alert on .NET process restarts triggered by memory pressure on hosts running instrumented services
- Monitor span attribute cardinality at ingest to identify producers emitting unbounded unique values
How to Mitigate CVE-2026-41310
Immediate Actions Required
- Upgrade OpenTelemetry.Exporter.Zipkin to version 1.15.3 or later across all affected .NET applications
- Review span instrumentation and reduce the cardinality of attributes contributing to remote endpoint identification
- Restart long-running services after upgrade to release accumulated cache memory
Patch Information
The fix is included in OpenTelemetry.Exporter.Zipkin version 1.15.3. The patch introduces a bounded, thread-safe LRU cache for remote endpoints with a fixed maximum size. Implementation details are available in Pull Request #7081 on the open-telemetry/opentelemetry-dotnet repository.
Workarounds
- Switch to an alternative OpenTelemetry exporter, such as the OTLP exporter, until the upgrade is applied
- Sanitize or normalize high-cardinality span attributes before they reach the exporter
- Recycle affected processes on a schedule to bound cumulative memory growth until patching completes
# Upgrade the affected NuGet package to the patched version
dotnet add package OpenTelemetry.Exporter.Zipkin --version 1.15.3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
