← Back
2026-05-06 20:54CVE-2026-41310GitHub_M
PUBLISHED5.2CWE-770CWE-400

OpenTelemetry .NET Zipkin exporter has unbounded remote endpoint cache leading to memory growth

OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from span attributes. In high-cardinality scenarios, a process using Zipkin export for client or producer spans could experience avoidable memory growth under sustained unique remote endpoint values, increasing process memory usage over time and degrading availability. This issue is fixed in version 1.15.3, which introduces a bounded, thread-safe LRU cache for remote endpoints with a fixed maximum size.

Problem type

Affected products

open-telemetry

opentelemetry-dotnet

<= 1.15.2 - AFFECTED

References

https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-88hf-wf7h-7w4m

https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-88hf-wf7h-7w4m

x_refsource_CONFIRM
https://github.com/open-telemetry/opentelemetry-dotnet/pull/7081

https://github.com/open-telemetry/opentelemetry-dotnet/pull/7081

x_refsource_MISC

GitHub Security Advisories

GHSA-88hf-wf7h-7w4m

OpenTelemetry's Zipkin remote endpoint cache could grow without bounds and increase memory pressure

https://github.com/advisories/GHSA-88hf-wf7h-7w4m

Summary

The Zipkin exporter remote endpoint cache accepted unbounded key growth derived from span attributes. In high-cardinality scenarios, this could increase process memory usage over time and degrade availability.

Details

  • Introduce a bounded, thread-safe LRU cache for remote endpoints.
  • Enforce fixed maximum size to prevent unbounded growth.

Impact

  • A process using Zipkin export for client/producer spans could experience avoidable memory growth under sustained unique remote endpoint values.

Resources

#7081

github.com

https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-88hf-wf7h-7w4m

github.com

https://github.com/open-telemetry/opentelemetry-dotnet/pull/7081

github.com

https://github.com/open-telemetry/opentelemetry-dotnet/commit/c724f4bd6fd88e9a599af1668bf7af9487155b62

github.com

https://github.com/advisories/GHSA-88hf-wf7h-7w4m

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-41310
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-41310",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-05-06T20:54:37.492Z",
    "dateReserved": "2026-04-20T14:01:46.670Z",
    "datePublished": "2026-05-06T20:54:37.492Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-05-06T20:54:37.492Z"
      },
      "title": "OpenTelemetry .NET Zipkin exporter has unbounded remote endpoint cache leading to memory growth",
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from span attributes. In high-cardinality scenarios, a process using Zipkin export for client or producer spans could experience avoidable memory growth under sustained unique remote endpoint values, increasing process memory usage over time and degrading availability. This issue is fixed in version 1.15.3, which introduces a bounded, thread-safe LRU cache for remote endpoints with a fixed maximum size."
        }
      ],
      "affected": [
        {
          "vendor": "open-telemetry",
          "product": "opentelemetry-dotnet",
          "versions": [
            {
              "version": "<= 1.15.2",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "cweId": "CWE-770",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "cweId": "CWE-400",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-88hf-wf7h-7w4m",
          "name": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-88hf-wf7h-7w4m",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        },
        {
          "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7081",
          "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7081",
          "tags": [
            "x_refsource_MISC"
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "NONE",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM"
          }
        }
      ]
    }
  }
}