OpenTelemetry .NET Zipkin exporter has unbounded remote endpoint cache leading...

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Description

OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from span attributes. In high-cardinality scenarios, a process using Zipkin export for client or producer spans could experience avoidable memory growth under sustained unique remote endpoint values, increasing process memory usage over time and degrading availability. This issue is fixed in version 1.15.3, which introduces a bounded, thread-safe LRU cache for remote endpoints with a fixed maximum size.

Basic Information

ID CVE-2026-41310

Source GitHub_M

Published May 6, 2026 at 20:54

Affected Product

Vendor open-telemetry

Product opentelemetry-dotnet

Version <= 1.15.2

Affected Versions open-telemetry opentelemetry-dotnet <= 1.15.2

CWE Classification

CWE-770 CWE-400

References

{
    "lastseen": "",
    "description": "OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from span attributes. In high-cardinality scenarios, a process using Zipkin export for client or producer spans could experience avoidable memory growth under sustained unique remote endpoint values, increasing process memory usage over time and degrading availability. This issue is fixed in version 1.15.3, which introduces a bounded, thread-safe LRU cache for remote endpoints with a fixed maximum size.",
    "published": "2026-05-06T20:54:37.492Z",
    "modified": "2026-05-06T20:54:37.492Z",
    "type": "cve",
    "title": "OpenTelemetry .NET Zipkin exporter has unbounded remote endpoint cache leading to memory growth",
    "source": "GitHub_M",
    "references": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-88hf-wf7h-7w4m\nhttps://github.com/open-telemetry/opentelemetry-dotnet/pull/7081",
    "id": "CVE-2026-41310",
    "bulletinFamily": "",
    "cwe": [
        "CWE-770",
        "CWE-400"
    ],
    "cvelist": null,
    "sourceData": "open-telemetry opentelemetry-dotnet <= 1.15.2",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "opentelemetry-dotnet",
    "version": "<= 1.15.2",
    "vendor": "open-telemetry",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

OpenTelemetry .NET Zipkin exporter has unbounded remote endpoint cache leading to memory growth_CVE-2026-41310