PT-2026-54845 · Unknown · @Opentelemetry/Instrumentation
Decsecre583
·
Published
2026-07-01
·
Updated
2026-07-01
·
CVE-2026-54712
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
OpenTelemetry Java Instrumentation versions prior to 2.27.0
Description
An issue exists in the RMI context propagation payload reader where the number of context entries is limited, but the aggregate size of the strings read from the stream is not. An attacker capable of reaching an RMI endpoint on an instrumented JVM can send an oversized context propagation payload, causing excessive memory allocation and potentially leading to a denial of service. This affects deployments where RMI instrumentation is enabled and the RMI endpoint is network-reachable.
Recommendations
Update to version 2.27.0.
As a temporary mitigation, disable RMI instrumentation or restrict network access to the RMI endpoint.
Fix
DoS
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Opentelemetry/Instrumentation