CVE-2026-41310: OpenTelemetry's Zipkin remote endpoint cache could grow without bounds and increase memory pressure
(updated )
The Zipkin exporter remote endpoint cache accepted unbounded key growth derived from span attributes. In high-cardinality scenarios, this could increase process memory usage over time and degrade availability.
References
- github.com/advisories/GHSA-88hf-wf7h-7w4m
- github.com/open-telemetry/opentelemetry-dotnet
- github.com/open-telemetry/opentelemetry-dotnet/commit/c724f4bd6fd88e9a599af1668bf7af9487155b62
- github.com/open-telemetry/opentelemetry-dotnet/pull/7081
- github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-88hf-wf7h-7w4m
- nvd.nist.gov/vuln/detail/CVE-2026-41310
Code Behaviors & Features
Detect and mitigate CVE-2026-41310 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →