CVE-2026-54712 Overview
CVE-2026-54712 is a denial of service vulnerability in OpenTelemetry Java Instrumentation, which provides auto-instrumentation and instrumentation libraries for Java applications. The flaw exists in the Remote Method Invocation (RMI) context propagation payload reader. Versions prior to 2.27.0 limit the number of context entries but fail to limit the aggregate size of strings read from the stream. An attacker who can reach an RMI endpoint on an instrumented Java Virtual Machine (JVM) can send an oversized context propagation payload. The payload triggers excessive memory allocation while the JVM reads it, potentially leading to service disruption. The issue is tracked under [CWE-400] Uncontrolled Resource Consumption.
Critical Impact
Network-reachable attackers can exhaust JVM memory by sending oversized RMI context propagation payloads to instrumented services, causing denial of service.
Affected Products
- OpenTelemetry Java Instrumentation versions prior to 2.27.0
- Java applications with RMI instrumentation enabled
- JVMs exposing network-reachable RMI endpoints
Discovery Timeline
- 2026-07-01 - CVE-2026-54712 published to NVD
- 2026-07-02 - Last updated in NVD database
Technical Details for CVE-2026-54712
Vulnerability Analysis
The vulnerability resides in the RMI context propagation payload reader within OpenTelemetry Java Instrumentation. The reader deserializes context propagation entries transmitted alongside RMI calls. While the code enforces a maximum entry count, it does not cap the total byte size of the string data being read. An attacker who sends a payload declaring a permitted number of entries but with individually massive string values forces the JVM to allocate large amounts of heap memory during deserialization. Sustained or repeated requests can exhaust available memory, causing garbage collection thrashing or OutOfMemoryError conditions that disrupt the instrumented service.
Root Cause
The root cause is missing input size validation during payload parsing. The reader trusts declared string lengths in the RMI context propagation stream and allocates buffers proportional to the attacker-controlled input. This falls under [CWE-400] Uncontrolled Resource Consumption. Effective mitigation requires enforcing an aggregate byte-size ceiling on the deserialized payload, not just an entry count limit.
Attack Vector
Exploitation requires network reachability to an RMI endpoint on an instrumented JVM. The attacker crafts a malicious RMI request carrying a context propagation payload with oversized string values within the allowed entry count. No authentication or user interaction is required. Only deployments that both enable RMI instrumentation and expose an RMI endpoint to attacker-controlled networks are affected. The vulnerability manifests through legitimate protocol channels, making it difficult to distinguish malicious payloads from legitimate large context data without size enforcement. See the GitHub Security Advisory for technical details.
Detection Methods for CVE-2026-54712
Indicators of Compromise
- Sudden JVM heap growth or OutOfMemoryError events on services running OpenTelemetry Java Instrumentation with RMI enabled
- Elevated garbage collection activity coinciding with inbound RMI traffic
- Anomalously large RMI request payloads originating from untrusted network segments
Detection Strategies
- Inventory Java services using OpenTelemetry Java Instrumentation and identify versions below 2.27.0
- Correlate RMI endpoint traffic volume with JVM memory metrics to identify size anomalies
- Alert on repeated JVM restarts or crashes on hosts exposing RMI ports (typically 1099 and dynamically assigned ports)
Monitoring Recommendations
- Track heap utilization, GC pause duration, and allocation rates on instrumented JVMs
- Monitor inbound connections to RMI registry and object ports for unexpected sources
- Ingest JVM and network telemetry into a centralized analytics platform to detect coordinated exhaustion patterns
How to Mitigate CVE-2026-54712
Immediate Actions Required
- Upgrade OpenTelemetry Java Instrumentation to version 2.27.0 or later across all affected Java services
- Restrict network access to RMI endpoints using firewall rules or network segmentation so only trusted hosts can connect
- Audit deployments to identify JVMs that both enable RMI instrumentation and expose RMI endpoints externally
Patch Information
The maintainers fixed the issue in OpenTelemetry Java Instrumentation version 2.27.0 by enforcing aggregate size limits on RMI context propagation payloads. Refer to the GitHub Security Advisory GHSA-fq3f-m5qm-99f5 for the full advisory and release notes.
Workarounds
- Disable RMI instrumentation in OpenTelemetry configuration if RMI observability is not required
- Block inbound RMI traffic at the network perimeter and restrict RMI to loopback or private management networks
- Apply JVM heap and request rate limits to reduce the impact of memory exhaustion attempts until patching completes
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

