OpenTelemetry's Zipkin remote endpoint cache could grow without bounds and increase memory pressure

GHSA-88hf-wf7h-7w4m · CVE-2026-41310

Published Apr 28, 2026 · Modified May 8, 2026

Description

Summary

The Zipkin exporter remote endpoint cache accepted unbounded key growth derived from span attributes. In high-cardinality scenarios, this could increase process memory usage over time and degrade availability.

Details

Introduce a bounded, thread-safe LRU cache for remote endpoints.
Enforce fixed maximum size to prevent unbounded growth.

Impact

A process using Zipkin export for client/producer spans could experience avoidable memory growth under sustained unique remote endpoint values.

Resources

#7081

References

WEB https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-88hf-wf7h-7w4m
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-41310
WEB https://github.com/open-telemetry/opentelemetry-dotnet/pull/7081
WEB https://github.com/open-telemetry/opentelemetry-dotnet/commit/c724f4bd6fd88e9a599af1668bf7af9487155b62
PACKAGE https://github.com/open-telemetry/opentelemetry-dotnet

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes