CVE-2026-39882

EUVD-2026-20628
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection). This vulnerability is fixed in 1.43.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
ADJACENT_NETWORK
HIGH
NONE
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 8%
Affected Products (NVD)
VendorProductVersion
opentelemetryopentelemetry
𝑥
< 1.43.0
𝑥
= Vulnerable software versions
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
amazon-cloudwatch-agent
Amazon Linux 2
0:1.300066.2-2.amzn2
fixed
Amazon Linux 2023
0:1.300066.2-2.amzn2023
fixed
containerd
Amazon Linux 2023
0:2.2.3-1.amzn2023.0.1
fixed
containerd-debuginfo
Amazon Linux 2023
0:2.2.3-1.amzn2023.0.1
fixed
containerd-debugsource
Amazon Linux 2023
0:2.2.3-1.amzn2023.0.1
fixed
containerd-stress
Amazon Linux 2023
0:2.2.3-1.amzn2023.0.1
fixed
containerd-stress-debuginfo
Amazon Linux 2023
0:2.2.3-1.amzn2023.0.1
fixed
docker
Amazon Linux 2023
0:25.0.14-1.amzn2023.0.5
fixed
docker-debuginfo
Amazon Linux 2023
0:25.0.14-1.amzn2023.0.5
fixed
docker-debugsource
Amazon Linux 2023
0:25.0.14-1.amzn2023.0.5
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
azurelinux-image-tools
Azure Linux 3.0
0:1.3.0-1.azl3
fixed
containerd2
Azure Linux 3.0
0:2.2.4-2.azl3
fixed
docker-buildx
Azure Linux 3.0
0:0.14.0-11.azl3
fixed
docker-compose
Azure Linux 3.0
0:2.27.0-9.azl3
fixed
moby-containerd-cc
Azure Linux 3.0
0:1.7.7-11.azl3
fixed
moby-engine
Azure Linux 3.0
0:25.0.3-17.azl3
fixed