Vulnerability Description
OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from span attributes. In high-cardinality scenarios, a process using Zipkin export for client or producer spans could experience avoidable memory growth under sustained unique remote endpoint values, increasing process memory usage over time and degrading availability. This issue is fixed in version 1.15.3, which introduces a bounded, thread-safe LRU cache for remote endpoints with a fixed maximum size.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Opentelemetry | Opentelemetry.Exporter.Zipkin | < 1.15.3 |
Related Weaknesses (CWE)
References
- https://github.com/open-telemetry/opentelemetry-dotnet/pull/7081Issue Tracking
- https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-Vendor Advisory
FAQ
What is CVE-2026-41310?
CVE-2026-41310 is a vulnerability with a CVSS score of 5.3 (MEDIUM). OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from span at...
How severe is CVE-2026-41310?
CVE-2026-41310 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-41310?
Check the references section above for vendor advisories and patch information. Affected products include: Opentelemetry Opentelemetry.Exporter.Zipkin.