CVE-2026-41483

EPSS 0.32%
Veröffentlicht 06.05.2026 20:58:33
Zuletzt bearbeitet 15.05.2026 17:12:28
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Unbounded HTTP response body read in OpenTelemetry.Resources.Azure

OpenTelemetry.Resources.Azure is the .NET resource detector for Azure environments. In versions 1.15.0-beta.1 and earlier, the AzureVmMetaDataRequestor class makes HTTP requests to the Azure VM instance metadata service and reads the response body into memory without any size limit. An attacker who controls the configured endpoint, or who can intercept traffic to it via a man-in-the-middle attack, can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process. As a workaround, disable the Azure VM resource detector or use network-level controls such as firewall rules, mTLS, or a service mesh to prevent man-in-the-middle attacks on the Azure VM instance metadata endpoint. This issue is fixed in version 1.15.1-beta.1, which streams responses rather than buffering them entirely in memory and ignores responses larger than 4 MiB.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Opentelemetry ≫ Opentelemetry.Resources.Azure SwPlatform.net Version <= 1.15.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.32%	0.238

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://github.com/open-telemetry/opentelemetry-dotnet-contrib/security/advisories/GHSA-vc24-j8c5-2vw4

Patch

Vendor Advisory

https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4121

Patch

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2026-41483

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-41483

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-41483

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-41483