CVE-2026-39882: CVE-2026-39882: Memory Exhaustion Denial of Service in OpenTelemetry-Go OTLP HTTP Exporters

CVE-2026-39882: Memory Exhaustion Denial of Service in OpenTelemetry-Go OTLP HTTP Exporters

Vulnerability ID: CVE-2026-39882
CVSS Score: 5.3
Published: 2026-04-08

OpenTelemetry-Go prior to version 1.43.0 suffers from an uncontrolled resource consumption vulnerability in its OTLP HTTP exporters. This flaw allows attackers controlling a telemetry collector or performing a Man-in-the-Middle attack to exhaust application memory via excessively large HTTP response bodies.

TL;DR

Unbounded HTTP response body reads in OpenTelemetry-Go OTLP exporters lead to memory exhaustion and DoS. Upgrading to 1.43.0 mitigates the issue via io.LimitReader.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-789
• Attack Vector: Adjacent Network
• CVSS v3.1: 5.3
• EPSS Score: 0.00016
• Impact: High (Denial of Service)
• Exploit Status: Proof of Concept
• CISA KEV: Not Listed

Affected Systems

• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
• go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
• go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp
• otlptracehttp: < 1.43.0 (Fixed in: 1.43.0)
• otlpmetrichttp: < 1.43.0 (Fixed in: 1.43.0)
• otlploghttp: < 0.19.0 (Fixed in: 1.43.0)

Code Analysis

Commit: 248da95

Secondary mitigation: Ensure internal instrumentation operations check Enabled(ctx) before performing computationally heavy work or allocations.

Exploit Details

• OSV Database / Vendor Advisory: PoC reproducing the uncontrolled allocation using make canonical resp_bytes=33554432

Mitigation Strategies

• Upgrade OpenTelemetry-Go to version 1.43.0
• Enforce Mutual TLS (mTLS) to prevent MITM attacks
• Configure strict container-level memory limits

Remediation Steps:

1. Identify all projects utilizing go.opentelemetry.io/otel/exporters/otlp/otlp* modules.
2. Update the module requirements in go.mod to v1.43.0.
3. Run go mod tidy and recompile the applications.
4. Deploy the updated binaries to production environments.

References

• GHSA-w8rr-5gcm-pp58 Advisory
• NVD Record for CVE-2026-39882

---

Read the full report for CVE-2026-39882 on our website for more details including interactive diagrams and full exploit analysis.