CVE-2026-41483: OpenTelemetry.Resources.Azure has an unbounded HTTP response body read
(updated )
OpenTelemetry.Resources.Azure reads unbounded HTTP response bodies from the Azure VM remote instance metadata service endpoint into memory.
This would allow an attacker-controlled endpoint or one acting as a Man-in-the-Middle (MitM) to cause excessive memory allocation and possible process termination (via Out of Memory (OOM)).
References
- github.com/advisories/GHSA-vc24-j8c5-2vw4
- github.com/open-telemetry/opentelemetry-dotnet-contrib
- github.com/open-telemetry/opentelemetry-dotnet-contrib/commit/9d8a364af919f62c088edd641c554cb720198964
- github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4121
- github.com/open-telemetry/opentelemetry-dotnet-contrib/security/advisories/GHSA-vc24-j8c5-2vw4
- nvd.nist.gov/vuln/detail/CVE-2026-41483
Code Behaviors & Features
Detect and mitigate CVE-2026-41483 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →