Strix
26.1K

CVE-2026-41078

MEDIUMCVSS 5.9/10EPSS 0.22%

Last modified

CVE-2026-41078 is a medium-severity vulnerability rated 5.9/10 on the CVSS scale. OpenTelemetry dotnet is a dotnet telemetry framework. In 1.6.0-rc.1 and earlier, OpenTelemetry.Exporter.Jaeger may allow sustained memory pressure when the internal pooled-list sizing grows based on a large observed span/tag set and that enlarged size is reused for subsequent allocations. EPSS estimates a 0.22% chance of exploitation in the next 30 days.

Description

OpenTelemetry dotnet is a dotnet telemetry framework. In 1.6.0-rc.1 and earlier, OpenTelemetry.Exporter.Jaeger may allow sustained memory pressure when the internal pooled-list sizing grows based on a large observed span/tag set and that enlarged size is reused for subsequent allocations. Under high-cardinality or attacker-influenced telemetry input, this can increase memory consumption and potentially cause denial of service. There is no plan to fix this issue as OpenTelemetry.Exporter.Jaeger was deprecated in 2023.

Metrics

CVSS 3.1
5.9/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability
0.22%

12.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersionsUpdate
OpentelemetryOpentelemetry< 1.6.0
OpentelemetryOpentelemetry1.6.0Alpha1

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2026-41078?
OpenTelemetry dotnet is a dotnet telemetry framework. In 1.6.0-rc.1 and earlier, OpenTelemetry.Exporter.Jaeger may allow sustained memory pressure when the internal pooled-list sizing grows based on a large observed span/tag set and that enlarged size is reused for subsequent allocations. Under high-cardinality or attacker-influenced telemetry input, this can increase memory consumption and potentially cause denial of service. There is no plan to fix this issue as OpenTelemetry.Exporter.Jaeger was deprecated in 2023.
How severe is CVE-2026-41078?
CVE-2026-41078 has a CVSS score of 5.9/10 (MEDIUM severity). The EPSS model estimates a 0.22% probability of exploitation in the next 30 days.
How do I fix CVE-2026-41078?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-41078?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST