CVE-2026-39882
EUVD-2026-2062808.04.2026, 21:17
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection). This vulnerability is fixed in 1.43.0.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| opentelemetry | opentelemetry | 𝑥 < 1.43.0 |
𝑥
= Vulnerable software versions
Amazon Linux Releases
Amazon Package | |||||
|---|---|---|---|---|---|
| amazon-cloudwatch-agent |
| ||||
| containerd |
| ||||
| containerd-debuginfo |
| ||||
| containerd-debugsource |
| ||||
| containerd-stress |
| ||||
| containerd-stress-debuginfo |
| ||||
| docker |
| ||||
| docker-debuginfo |
| ||||
| docker-debugsource |
|
Azure Linux Releases
Azure Package | |||
|---|---|---|---|
| azurelinux-image-tools |
| ||
| containerd2 |
| ||
| docker-buildx |
| ||
| docker-compose |
| ||
| moby-containerd-cc |
| ||
| moby-engine |
|
Common Weakness Enumeration