CVE-2026-39882
Memory Exhaustion vulnerability in otlptracehttp (Go)
What is CVE-2026-39882 About?
This vulnerability in OpenTelemetry Go OTLP HTTP exporters allows for memory exhaustion by an attacker-controlled collector endpoint. The exporters read the full HTTP response body into an unbounded in-memory buffer, enabling a malicious endpoint to crash the client process. Exploitation is straightforward if the exporter sends data to an untrusted collector or over an insecure network.
Affected Software
- go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
- <1.43.0
- go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
- <1.43.0
- go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp
- <0.19.0
Technical Details
The OpenTelemetry Go OTLP HTTP exporters for traces, metrics, and logs are vulnerable. The core issue lies in the fact that these exporters read the entire HTTP response body from the collector into an in-memory bytes.Buffer without any size limitation. This occurs in code locations like exporters/otlp/otlptrace/otlptracehttp/client.go:199 and similar paths for metrics and logs, where io.Copy(&respData, resp.Body) is used. If a collector endpoint is controlled by an attacker, or a network attacker can perform a Man-in-the-Middle (MITM) attack, they can send an arbitrarily large HTTP response body. This forces the client-side exporter to allocate an excessively large transient heap, potentially leading to an Out-of-Memory (OOM) error and crashing the instrumented process. This mechanism allows a remote denial-of-service attack against clients configured to send telemetry to untrusted endpoints.
What is the Impact of CVE-2026-39882?
Successful exploitation may allow attackers to force large transient heap allocations, potentially leading to an Out-of-Memory (OOM) error and crashing the instrumented process, resulting in a denial of service for the client and loss of telemetry data.
What is the Exploitability of CVE-2026-39882?
Exploitation is of low complexity. It requires the exporter to be configured to send traces to an untrusted collector endpoint, or for a network attacker to be in a position to perform a Man-in-the-Middle (MITM) attack on the connection to the collector. No authentication is required on the part of the attacker accessing the collector in this scenario, as the vulnerability is triggered by the size of the collector's response. No specific privileges are needed on the targeted system; the vulnerability resides in the client-side handling of the response. This is a remote attack. The primary conditions are an untrusted collector or an MITM possibility. The risk is significantly increased when OTLP exporters are deployed in environments where collector endpoints are not fully trusted or network security is compromised.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-39882?
Available Upgrade Options
- go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp
- <0.19.0 → Upgrade to 0.19.0
- go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp
- <1.43.0 → Upgrade to 1.43.0
- go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp
- <1.43.0 → Upgrade to 1.43.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58
- https://osv.dev/vulnerability/GHSA-w8rr-5gcm-pp58
- https://github.com/open-telemetry/opentelemetry-go/pull/8108
- http://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0
- https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-w8rr-5gcm-pp58
- https://github.com/open-telemetry/opentelemetry-go
What are Similar Vulnerabilities to CVE-2026-39882?
Similar Vulnerabilities: CVE-2024-21657 , CVE-2024-2826 , CVE-2023-38408 , CVE-2023-45805 , CVE-2022-24843
