Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-44967

CVE-2026-44967: OpenTelemetry C++ DOS Vulnerability

CVE-2026-44967 is a denial of service vulnerability in OpenTelemetry C++ that enables memory exhaustion attacks through uncapped HTTP response reading. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-44967 Overview

CVE-2026-44967 affects OpenTelemetry-cpp, the C++ implementation of the OpenTelemetry observability framework. The OTLP HTTP exporters for traces, metrics, and logs read full HTTP responses into an in-memory byte vector without enforcing a size cap [CWE-789]. An attacker controlling the configured collector endpoint, or a network attacker capable of intercepting the exporter connection, can return oversized responses to exhaust process memory. The flaw impacts all releases prior to 1.27.0 and is resolved in opentelemetry-cpp 1.27.0.

Critical Impact

Adjacent-network or MITM attackers can crash applications relying on OpenTelemetry-cpp OTLP HTTP exporters by forcing unbounded memory allocation in the exporter client.

Affected Products

  • OpenTelemetry-cpp versions prior to 1.27.0
  • OTLP HTTP trace exporter
  • OTLP HTTP metrics and logs exporters

Discovery Timeline

  • 2026-06-12 - CVE-2026-44967 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-44967

Vulnerability Analysis

The OTLP HTTP exporters in OpenTelemetry-cpp accumulate the complete HTTP response body into a std::vector<uint8_t> buffer before parsing. The implementation does not impose an upper bound on the buffer size or validate the Content-Length header against a configured maximum. When the remote collector returns an arbitrarily large response, the exporter continues allocating memory until the process runs out of available address space.

Because the exporter is invoked from instrumented application code, the resulting memory exhaustion impacts the host process rather than a dedicated network daemon. The result is a denial-of-service condition affecting the application emitting telemetry, not the OpenTelemetry Collector itself.

Root Cause

The root cause is missing input size validation in the HTTP response handling path of the OTLP HTTP exporters. The unbounded read pattern matches [CWE-789] (Memory Allocation with Excessive Size Value). Fix commits in opentelemetry-cpp pull request 4078 introduce a response size limit and reject responses that exceed it.

Attack Vector

Exploitation requires that the attacker influence the bytes returned by the collector endpoint. Two practical scenarios apply. First, an application is configured to point at a malicious or attacker-controlled OTLP HTTP collector. Second, a network-adjacent attacker performs a machine-in-the-middle attack against an exporter connection that lacks TLS or uses improperly validated TLS. In either case, the attacker returns an HTTP response with a body larger than available memory, causing allocation failure and process termination.

// No verified public exploit code is available for CVE-2026-44967.
// See the vendor advisory GHSA-5qhm-4rfp-qqvj for technical details.

Detection Methods for CVE-2026-44967

Indicators of Compromise

  • Sudden process termination of applications instrumented with opentelemetry-cpp accompanied by std::bad_alloc or out-of-memory kernel messages.
  • Anomalous outbound HTTP response sizes from configured OTLP collector endpoints, particularly responses far exceeding expected acknowledgment payloads.
  • Unexpected changes to the OTEL_EXPORTER_OTLP_ENDPOINT environment variable or configuration files pointing telemetry traffic to unknown hosts.

Detection Strategies

  • Inventory all binaries linking opentelemetry-cpp and confirm the linked version is 1.27.0 or later using package metadata or symbol inspection.
  • Inspect network flows from instrumented hosts to OTLP collectors for response payloads exceeding a reasonable threshold such as 1 MB.
  • Correlate application crash events with preceding outbound traffic to OTLP endpoints to identify exploitation attempts.

Monitoring Recommendations

  • Alert on resident set size growth in instrumented processes that exceeds historical baselines.
  • Monitor DNS resolution and TLS certificate validation failures for configured collector hostnames.
  • Track configuration drift on telemetry endpoint settings across fleets using configuration management tooling.

How to Mitigate CVE-2026-44967

Immediate Actions Required

  • Upgrade opentelemetry-cpp to release 1.27.0 or later and rebuild all dependent applications.
  • Audit all OTLP HTTP exporter endpoint configurations and confirm they point only to trusted collectors under organizational control.
  • Enforce TLS with strict certificate validation on every OTLP HTTP exporter connection to prevent MITM substitution of responses.

Patch Information

The vulnerability is fixed in opentelemetry-cpp release 1.27.0. The fix is tracked in GitHub Pull Request 4078 and documented in GitHub Security Advisory GHSA-5qhm-4rfp-qqvj. A parallel advisory for the Go implementation is published as GHSA-w8rr-5gcm-pp58.

Workarounds

  • Route OTLP HTTP traffic exclusively over TLS to a collector hosted on trusted infrastructure, eliminating the MITM attack path.
  • Place a reverse proxy in front of the collector that enforces a maximum response body size and strips oversized payloads before they reach the exporter.
  • Apply OS-level memory limits such as cgroupmemory.max or RLIMIT_AS to contain the blast radius of memory exhaustion in affected processes.
bash
# Restrict process memory to contain exhaustion attempts on Linux
systemd-run --scope -p MemoryMax=512M /usr/local/bin/instrumented-app

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne