CVE-2026-41173: CVE-2026-41173: Denial of Service in OpenTelemetry .NET SDK via Unbounded HTTP Allocation

#security #cve #cybersecurity

CVE-2026-41173: Denial of Service in OpenTelemetry .NET SDK via Unbounded HTTP Allocation

Vulnerability ID: CVE-2026-41173
CVSS Score: 5.9
Published: 2026-04-23

The OpenTelemetry .NET SDK AWS extensions contain a Denial of Service (DoS) vulnerability due to unbounded memory allocation. The SDK fails to enforce payload size limits when processing HTTP responses from AWS endpoints, allowing attackers to exhaust application memory.

TL;DR

Unbounded HTTP response buffering in OpenTelemetry .NET AWS packages allows an attacker who controls the endpoint network path to trigger an OutOfMemoryException, causing a full process Denial of Service.

Technical Details

CWE ID: CWE-770
Attack Vector: Network (with complexity)
CVSS Score: 5.9 (Medium)
Impact: High Availability Loss (DoS)
Exploit Status: None
CISA KEV: False

Affected Systems

OpenTelemetry.Sampler.AWS
OpenTelemetry.Resources.AWS
AWS X-Ray Remote Sampler
AWS EC2 Detector
AWS ECS Detector
AWS EKS Detector
OpenTelemetry.Sampler.AWS: < 0.1.0-alpha.8 (Fixed in: 0.1.0-alpha.8)
OpenTelemetry.Resources.AWS: < 1.15.1 (Fixed in: 1.15.1)

Mitigation Strategies

Upgrade the OpenTelemetry.Sampler.AWS package to version 0.1.0-alpha.8 or higher.
Upgrade the OpenTelemetry.Resources.AWS package to version 1.15.1 or higher.
Enforce process-level memory bounds using container resource limits.
Secure communications to local daemons using TLS and local firewall constraints.

Remediation Steps:

Identify all projects utilizing OpenTelemetry.Sampler.AWS and OpenTelemetry.Resources.AWS.
Update package references in .csproj files to the patched versions.
Recompile and test the application to ensure telemetry features function as expected.
Deploy the updated applications to production environments.