CVE-2026-41078

CVSS v3.1

5.9

Medium

AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

[!IMPORTANT] There is no plan to fix this issue as OpenTelemetry.Exporter.Jaeger was deprecated in 2023. It is for informational purposes only.

OpenTelemetry.Exporter.Jaeger may allow sustained memory pressure when the internal pooled-list sizing grows based on a large observed span/tag set and that enlarged size is reused for subsequent allocations. Under high-cardinality or attacker-influenced telemetry input, this can increase memory consumption and potentially cause denial of service.

Details

The Jaeger exporter conversion path can append tag/event data into pooled list structures. In affected versions, pooled allocation sizing may be influenced by large observed payloads and reused globally across later allocations, resulting in persistent oversized rentals and elevated memory pressure. In environments where telemetry attributes/events can be influenced by untrusted input and limits are increased from defaults, this may lead to process instability or denial of service.

Impact

Availability impact only. Confidentiality and integrity impacts are not expected.

Workarounds / Mitigations

Prefer maintained exporters (for example OpenTelemetry Protocol format (OTLP)) instead of the Jaeger exporter.

Fix

Resource Exhaustion

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-770

Related Identifiers

CVE-2026-41078

GHSA-38H3-2333-QX47

Affected Products

Opentelemetry.Exporter.Jaeger

CVE-2026-41078

Summary

Details

Impact

Workarounds / Mitigations

Weakness Enumeration

Related Identifiers

Affected Products

References · 4