CVE-2026-41310

Source
https://cve.org/CVERecord?id=CVE-2026-41310
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41310.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-41310
Aliases
Published
2026-05-06T20:54:37.492Z
Modified
2026-07-08T08:13:13.148243560Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
OpenTelemetry .NET Zipkin exporter has unbounded remote endpoint cache leading to memory growth
Details

OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from span attributes. In high-cardinality scenarios, a process using Zipkin export for client or producer spans could experience avoidable memory growth under sustained unique remote endpoint values, increasing process memory usage over time and degrading availability. This issue is fixed in version 1.15.3, which introduces a bounded, thread-safe LRU cache for remote endpoints with a fixed maximum size.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41310.json",
    "cwe_ids": [
        "CWE-400",
        "CWE-770"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/open-telemetry/opentelemetry-dotnet

Affected ranges

Type
GIT
Repo
https://github.com/open-telemetry/opentelemetry-dotnet
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:opentelemetry:opentelemetry.exporter.zipkin:*:*:*:*:*:.net:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.15.2"
        },
        {
            "fixed": "1.15.3"
        }
    ]
}

Affected versions

0.*
0.2.0-alpha
0.3.0-beta
0.4.0-beta
0.5.0-beta
0.6.0-beta
0.7.0-beta
0.8.0-beta
1.*
1.0.0-rc1
1.0.0-rc10
1.0.0-rc2
1.0.0-rc3
1.0.0-rc4
1.0.0-rc5
1.0.0-rc6
1.0.0-rc7
1.0.0-rc8
1.0.0-rc9
1.0.0-rc9.1
1.0.0-rc9.10
1.0.0-rc9.11
1.0.0-rc9.12
1.0.0-rc9.13
1.0.0-rc9.14
1.0.0-rc9.2
1.0.0-rc9.3
1.0.0-rc9.4
1.0.0-rc9.5
1.0.0-rc9.6
1.0.0-rc9.7
1.0.0-rc9.8
1.0.0-rc9.9
1.5.0-beta.1
1.5.1-beta.1
1.6.0-beta.1
1.6.0-beta.2
1.6.0-beta.3
1.6.0-rc.1
1.7.0-beta.1
Instrumentation.*
Instrumentation.AspNetCore-1.6.0
Instrumentation.AspNetCore-1.7.0
Instrumentation.AspNetCore-1.7.1
Instrumentation.AspNetCore-1.8.0
Instrumentation.AspNetCore-1.8.1
Instrumentation.GrpcNetClient-1.7.0-beta.1
Instrumentation.GrpcNetClient-1.8.0-beta.1
Instrumentation.Http-1.6.0
Instrumentation.Http-1.7.0
Instrumentation.Http-1.7.1
Instrumentation.Http-1.8.0
Instrumentation.Http-1.8.1
Instrumentation.SqlClient-1.7.0-beta.1
Instrumentation.SqlClient-1.8.0-beta.1
core-1.*
core-1.0.0-rc3
core-1.0.0-rc4
core-1.0.1
core-1.1.0
core-1.1.0-beta1
core-1.1.0-beta2
core-1.1.0-beta3
core-1.1.0-beta4
core-1.1.0-rc1
core-1.10.0
core-1.10.0-beta.1
core-1.10.0-rc.1
core-1.11.0
core-1.11.0-rc.1
core-1.11.1
core-1.11.2
core-1.12.0
core-1.13.0
core-1.13.1
core-1.14.0
core-1.14.0-rc.1
core-1.15.0
core-1.15.1
core-1.15.2
core-1.2.0
core-1.2.0-alpha1
core-1.2.0-alpha2
core-1.2.0-alpha3
core-1.2.0-alpha4
core-1.2.0-beta1
core-1.2.0-beta2
core-1.2.0-rc1
core-1.2.0-rc2
core-1.2.0-rc3
core-1.2.0-rc4
core-1.2.0-rc5
core-1.3.0
core-1.3.0-beta.1
core-1.3.0-beta.2
core-1.3.0-rc.2
core-1.4.0
core-1.4.0-alpha.1
core-1.4.0-alpha.2
core-1.4.0-beta.1
core-1.4.0-beta.2
core-1.4.0-beta.3
core-1.4.0-rc.1
core-1.4.0-rc.2
core-1.4.0-rc.3
core-1.4.0-rc.4
core-1.5.0
core-1.5.0-alpha.1
core-1.5.0-rc.1
core-1.6.0
core-1.6.0-alpha.1
core-1.6.0-rc.1
core-1.7.0
core-1.7.0-alpha.1
core-1.7.0-rc.1
core-1.8.0
core-1.8.0-beta.1
core-1.8.0-rc.1
core-1.9.0
core-1.9.0-alpha.1
core-1.9.0-rc.1
coreunstable-1.*
coreunstable-1.10.0-beta.1
coreunstable-1.11.0-beta.1
coreunstable-1.11.2-beta.1
coreunstable-1.12.0-beta.1
coreunstable-1.13.0-beta.1
coreunstable-1.13.1-beta.1
coreunstable-1.14.0-beta.1
coreunstable-1.15.0-beta.1
coreunstable-1.15.1-beta.1
coreunstable-1.15.2-beta.1
coreunstable-1.9.0-alpha.1
coreunstable-1.9.0-alpha.2
coreunstable-1.9.0-beta.1
coreunstable-1.9.0-beta.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41310.json"