CVE-2026-44967

Published: Jun 12, 2026Modified: Jun 12, 2026

5.3

Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 1.6 / Impact: 3.6

Source: security-advisories@github.com (Secondary)

Description

OpenTelemetry-cpp is the C++ implementation of OpenTelemetry. Prior to release 1.27.0, the OTLP HTTP exporters (traces/metrics/logs) read the full HTTP response into an in-memory vector of bytes without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can MITM the exporter connection). This vulnerability is fixed in opentelemetry-cpp release 1.27.0.

Related CWEs

CWE-789

Memory Allocation with Excessive Size Value

The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

References (5)

https://github.com/open-telemetry/opentelemetry-cpp/issues/3958

Source: security-advisories@github.com

https://github.com/open-telemetry/opentelemetry-cpp/pull/4078

Source: security-advisories@github.com

https://github.com/open-telemetry/opentelemetry-cpp/security/advisories/GHSA-5qhm-4rfp-qqvj

Source: security-advisories@github.com

https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58

Source: security-advisories@github.com

https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Timeline

No history available yet.