CVE-2026-41483 Overview
CVE-2026-41483 affects OpenTelemetry.Resources.Azure, the .NET resource detector for Azure environments. The AzureVmMetaDataRequestor class issues HTTP requests to the Azure VM instance metadata service and reads the response body into memory without enforcing a size limit. An attacker who controls the configured endpoint, or who can intercept traffic via a man-in-the-middle attack, can return an arbitrarily large response body. This triggers unbounded heap allocation in the consuming process, producing memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process. The flaw is tracked under [CWE-770] (Allocation of Resources Without Limits or Throttling).
Critical Impact
Unbounded memory allocation in the Azure VM metadata detector enables remote denial-of-service against .NET applications using affected OpenTelemetry contrib packages.
Affected Products
- OpenTelemetry.Resources.Azure versions 1.15.0-beta.1 and earlier
- .NET applications consuming the Azure VM resource detector
- OpenTelemetry .NET Contrib distributions bundling the affected package
Discovery Timeline
- 2026-05-06 - CVE-2026-41483 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-41483
Vulnerability Analysis
The vulnerability resides in the AzureVmMetaDataRequestor class within the OpenTelemetry .NET Contrib repository. The component contacts the Azure Instance Metadata Service (IMDS) at runtime to enrich telemetry with VM resource attributes. The response handler reads the entire HTTP body into memory in a single buffered operation. No content-length validation, streaming boundary, or maximum-size guard is applied before allocation.
When the response body is large, the .NET runtime attempts to grow managed buffers on the heap to accommodate the data. This causes transient memory pressure, blocking garbage-collection cycles, or an outright OutOfMemoryException that crashes the host process. Long-running services that load the resource detector at startup or refresh metadata periodically inherit the same exposure.
Root Cause
The root cause is missing input size enforcement on untrusted HTTP response data, classified as [CWE-770]. The detector trusts the metadata endpoint to behave correctly and does not impose an upper bound on buffered bytes. When the endpoint is attacker-controlled or reachable through an unauthenticated network path, the trust assumption breaks.
Attack Vector
Exploitation requires the attacker to influence traffic to the metadata endpoint. Two paths apply: control of the configured endpoint URL, or interception of the network path between the application and the IMDS host. The attack is network-based with high complexity, since the adversary must occupy a privileged network position or alter detector configuration. No authentication or user interaction is required, and successful exploitation produces denial-of-service through process termination or sustained memory exhaustion.
No public proof-of-concept exploit code is available. The mechanism is described in prose: the attacker returns an HTTP response with a body sized to exhaust available managed heap, causing the consuming process to allocate until the runtime aborts. See the GitHub Security Advisory for technical details.
Detection Methods for CVE-2026-41483
Indicators of Compromise
- Repeated OutOfMemoryException events in .NET application logs originating from OpenTelemetry.Resources.Azure stack frames
- Unexpected high memory allocation rates or extended garbage-collection pauses shortly after process startup or telemetry initialization
- HTTP responses from the Azure IMDS endpoint (169.254.169.254) with unusually large Content-Length values
Detection Strategies
- Inventory .NET applications and identify those referencing OpenTelemetry.Resources.Azure at version 1.15.0-beta.1 or earlier through dependency scanning
- Instrument the host runtime to alert on rapid managed-heap growth during resource detector initialization
- Inspect outbound traffic to the IMDS endpoint for response sizes that exceed expected metadata payloads, which are typically a few kilobytes
Monitoring Recommendations
- Track .NET process restart frequency and crash dumps containing OpenTelemetry resource detector frames
- Forward application logs and runtime metrics to a centralized analytics platform for correlation across services
- Monitor for configuration changes that redirect the IMDS endpoint to non-default hosts
How to Mitigate CVE-2026-41483
Immediate Actions Required
- Upgrade OpenTelemetry.Resources.Azure to version 1.15.1-beta.1, which streams responses and rejects bodies larger than 4 MiB
- Audit application configuration for custom IMDS endpoint overrides and revert to the documented default where appropriate
- Restrict outbound network paths from production workloads so only the legitimate Azure metadata endpoint is reachable
Patch Information
The issue is fixed in OpenTelemetry.Resources.Azure version 1.15.1-beta.1. The patch streams HTTP responses rather than buffering them entirely in memory and ignores responses larger than 4 MiB. Review the GitHub Pull Request for the code change and the GitHub Security Advisory for vendor guidance.
Workarounds
- Disable the Azure VM resource detector in OpenTelemetry configuration until the upgrade is deployed
- Enforce mutual TLS (mTLS) or service-mesh policies on the path to the metadata endpoint to prevent man-in-the-middle interception
- Apply firewall rules that restrict metadata traffic to the link-local IMDS address 169.254.169.254 and block alternate destinations
# Configuration example
# Update package reference in your .csproj to the fixed version
dotnet add package OpenTelemetry.Resources.Azure --version 1.15.1-beta.1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
