CVE-2026-41484 Overview
CVE-2026-41484 affects the OpenTelemetry.Exporter.OneCollector .NET library, which exports telemetry to a OneCollector back-end over HTTP. Versions 1.15.0 and earlier read the entire HTTP error response body into memory without an upper bound. An attacker controlling the configured endpoint, or performing a man-in-the-middle attack on adjacent network traffic, can return an oversized response body. This triggers unbounded heap allocation in the consuming .NET process, producing transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the application. The flaw is categorized as uncontrolled resource consumption [CWE-770] and is fixed in version 1.15.1.
Critical Impact
Attackers with adjacent-network access or endpoint control can crash .NET processes consuming OpenTelemetry OneCollector telemetry by returning oversized HTTP error responses.
Affected Products
- OpenTelemetry.Exporter.OneCollector for .NET, versions 1.15.0 and earlier
- .NET applications using the OneCollector exporter from the opentelemetry-dotnet-contrib repository
- Telemetry pipelines forwarding traces, metrics, or logs to OneCollector back-ends
Discovery Timeline
- 2026-05-06 - CVE-2026-41484 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-41484
Vulnerability Analysis
The vulnerability resides in the HttpJsonPostTransport class within the OneCollector exporter. When a POST request to the configured back-end returns an unsuccessful HTTP 4xx or 5xx response, the transport reads the entire response body into a buffer so the error content can be surfaced in operator logs. The implementation does not enforce a maximum read size, content-length cap, or streaming boundary on the response body. A malicious or compromised endpoint can therefore stream an arbitrarily large payload that the .NET runtime allocates onto the managed heap.
The resulting allocation pattern produces three observable failure modes. Large transient allocations cause garbage-collection pauses that stall telemetry processing threads. Sustained pressure pushes the process into Gen 2 collections and Large Object Heap fragmentation. In sufficiently constrained environments, the runtime raises OutOfMemoryException and terminates the host process, removing observability from production workloads.
Root Cause
The root cause is missing input size validation on a network-sourced response stream. The error-handling path prioritized log fidelity over resource bounding, violating defensive limits expected for any externally controlled byte stream [CWE-770].
Attack Vector
Exploitation requires the attacker to control the configured OneCollector endpoint or to intercept traffic between the .NET application and the legitimate endpoint. The CVSS vector indicates an adjacent-network attack with high attack complexity and no privileges or user interaction required. The impact is limited to availability — confidentiality and integrity are not affected. Refer to the GitHub Security Advisory GHSA-55m9-299j-53c7 for the maintainer analysis.
Detection Methods for CVE-2026-41484
Indicators of Compromise
- Unusual spikes in managed heap size or Large Object Heap allocations within .NET processes hosting the OneCollector exporter.
- Repeated OutOfMemoryException events or unexpected process restarts coinciding with telemetry export failures.
- HTTP 4xx or 5xx responses from the configured OneCollector endpoint with abnormally large Content-Length values or chunked transfer encoding.
Detection Strategies
- Inventory .NET applications referencing OpenTelemetry.Exporter.OneCollector package versions 1.15.0 or earlier through software composition analysis.
- Monitor outbound TLS sessions to OneCollector endpoints for response sizes that exceed normal telemetry acknowledgment volumes.
- Correlate .NET runtime exception telemetry with exporter log entries containing truncated or oversized error response bodies.
Monitoring Recommendations
- Enable .NET runtime metrics (gc-heap-size, gen-2-gc-count, loh-size) and alert on sudden growth in processes performing telemetry export.
- Capture network flow telemetry between application hosts and OneCollector endpoints to baseline expected response sizes.
- Log and alert on exporter retry storms, which often precede memory exhaustion driven by malicious response bodies.
How to Mitigate CVE-2026-41484
Immediate Actions Required
- Upgrade OpenTelemetry.Exporter.OneCollector to version 1.15.1, which caps error response body reads at 4 MiB.
- Audit configured OneCollector endpoints and remove any that are not under trusted administrative control.
- Enforce mutual TLS (mTLS) between exporters and OneCollector back-ends to prevent man-in-the-middle interception on adjacent networks.
Patch Information
The maintainers fixed the issue in version 1.15.1 by limiting the number of bytes read from the response body in error conditions to 4 MiB. The code change is documented in GitHub Pull Request #4117. Consumers should update package references in project files and redeploy affected services.
Workarounds
- Apply firewall rules that restrict outbound connections from application hosts to known OneCollector endpoint IP ranges only.
- Deploy a service mesh or egress proxy that enforces response size limits on traffic to telemetry back-ends.
- Configure mTLS between the exporter and the collector so unauthorized intermediaries cannot inject crafted responses.
# Update the OneCollector exporter package to the patched version
dotnet add package OpenTelemetry.Exporter.OneCollector --version 1.15.1
# Verify the resolved version in the project
dotnet list package | grep OneCollector
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
