CVE-2026-41483

Name of the Vulnerable Software and Affected Versions OpenTelemetry.Resources.Azure versions prior to 1.15.0-beta.2

Description The AzureVmMetaDataRequestor() function makes HTTP requests to the Azure VM instance metadata service and reads the response body into memory without a size limit. An attacker who controls the configured endpoint or intercepts traffic via a man-in-the-middle attack can return an arbitrarily large response body. This leads to unbounded heap allocation, causing high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process, resulting in a Denial of Service (DoS).

Recommendations Update to version 1.15.0-beta.2 or later. Disable the Azure VM resource detector. Use network-level controls such as firewall rules, mTLS, or a service mesh to prevent man-in-the-middle attacks on the Azure VM instance metadata endpoint.