CVE-2026-42348 Overview
CVE-2026-42348 affects the OpenTelemetry.OpAmp.Client, the Open Agent Management Protocol (OpAMP) client for OpenTelemetry .NET. Versions prior to 0.2.0-alpha.1 allocate an unbounded buffer when reading HTTP responses from the OpAMP server. The client imposes no upper bound on the number of bytes consumed from the response body. An attacker-controlled OpAMP server, or a network attacker performing a man-in-the-middle (MitM) attack, can return an extremely large response body and exhaust memory in the consuming application. The issue is categorized under [CWE-789] Memory Allocation with Excessive Size Value and is fixed in version 0.2.0-alpha.1.
Critical Impact
A malicious or compromised OpAMP server can trigger memory exhaustion and denial of service in any .NET application embedding the vulnerable OpAMP client.
Affected Products
- OpenTelemetry.OpAmp.Client NuGet package prior to 0.2.0-alpha.1
- OpenTelemetry .NET Contrib distributions bundling the OpAMP client
- .NET applications and OpenTelemetry collectors that consume OpAMP server responses over HTTP
Discovery Timeline
- 2026-05-12 - CVE-2026-42348 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42348
Vulnerability Analysis
The OpAMP client communicates with a management server to receive agent configuration, certificates, and downstream instructions. When the client receives a response over HTTP, it reads the entire response body into memory before decoding the protobuf payload. The implementation does not enforce a maximum content length or streaming threshold. A response of arbitrary size is therefore buffered in full.
An attacker controlling the OpAMP server endpoint can return a multi-gigabyte body. A network attacker capable of intercepting unencrypted or weakly authenticated traffic can perform the same action via MitM. The client process allocates contiguous buffer space until the host runs out of available memory, terminating the .NET application or destabilizing the host.
Root Cause
The root cause is the absence of a configurable upper bound on the HTTP response read operation. The client invokes a read-to-end pattern against the response stream rather than enforcing a MaxResponseContentBufferSize on the underlying HttpClient or validating the Content-Length header against a policy ceiling. This pattern matches the [CWE-789] category for memory allocation driven by an untrusted size value.
Attack Vector
Exploitation requires the victim application to initiate an OpAMP HTTP request to an attacker-controlled or intercepted endpoint. The attacker then responds with an oversized body. No authentication is required on the client side, and no user interaction is involved. Successful exploitation produces an availability impact through memory exhaustion. The vulnerability cannot be used to read or modify telemetry data integrity.
No public proof-of-concept is available. The vulnerability mechanism is described in the GitHub Security Advisory GHSA-w2jh-77fq-7gp8 and the upstream fix in Pull Request #4116.
Detection Methods for CVE-2026-42348
Indicators of Compromise
- Sudden spikes in process working set or private bytes for .NET processes hosting OpenTelemetry instrumentation
- OutOfMemoryException events in application logs originating from OpenTelemetry.OpAmp.Client call stacks
- HTTP responses from OpAMP server endpoints with Content-Length values exceeding expected configuration sizes
- Unexpected OpAMP endpoint hosts in outbound connection telemetry
Detection Strategies
- Inventory all .NET applications referencing the OpenTelemetry.OpAmp.Client package and flag versions below 0.2.0-alpha.1
- Inspect software bill of materials (SBOM) data for the vulnerable NuGet package identifier and version range
- Monitor egress traffic to OpAMP server endpoints and compare destination hosts against an allowlist
Monitoring Recommendations
- Alert on .NET process termination events correlated with high memory pressure on hosts running observability agents
- Capture HTTP response sizes for OpAMP traffic at the proxy or service mesh layer to detect anomalous payloads
- Forward application crash logs and dotnet runtime events to a centralized data lake for correlation
How to Mitigate CVE-2026-42348
Immediate Actions Required
- Upgrade OpenTelemetry.OpAmp.Client to version 0.2.0-alpha.1 or later across all .NET workloads
- Restrict OpAMP client configuration to trusted server endpoints under organizational control
- Enforce TLS with certificate validation on all OpAMP connections to prevent MitM payload injection
Patch Information
The maintainers fixed the issue in OpenTelemetry.OpAmp.Client version 0.2.0-alpha.1. The fix introduces a bounded read against the HTTP response stream. Review the patch details in Pull Request #4116 and the coordinated disclosure notes in the GitHub Security Advisory.
Workarounds
- Place a reverse proxy in front of the OpAMP server and enforce a maximum response body size at the proxy layer
- Configure host-level memory limits on containers running OpenTelemetry-instrumented .NET applications to contain blast radius
- Disable the OpAMP HTTP transport until the package upgrade is complete if the client cannot be patched immediately
# Upgrade the vulnerable NuGet package to the fixed version
dotnet add package OpenTelemetry.OpAmp.Client --version 0.2.0-alpha.1
# Verify resolved version in the project
dotnet list package --include-transitive | grep -i OpAmp
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
