CVE 5.3 MEDIUM

OpenTelemetry Javaagent RMI context propagation allows resource exhaustion_CVE-2026-54712

5.3 / 10
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Description

OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.27.0, the RMI context propagation payload reader limits the number of context entries but does not limit the aggregate size of the strings read from the stream. An attacker who can reach an RMI endpoint on an instrumented JVM can send an oversized context propagation payload. This can cause excessive memory allocation while the JVM reads the payload, potentially leading to denial of service. The issue affects only deployments where RMI instrumentation is enabled and an RMI endpoint is network-reachable. This issue has been fixed in version 2.27.0.

Basic Information

ID CVE-2026-54712
Source GitHub_M
Published Jul 1, 2026 at 21:17

Affected Product

Vendor open-telemetry
Product opentelemetry-java-instrumentation
Version < 2.27.0
Affected Versions open-telemetry opentelemetry-java-instrumentation < 2.27.0

CWE Classification

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.