CVE-2026-42348
CVE-2026-42348 is a medium-severity vulnerability in Opentelemetry Opentelemetry.opamp.client with a CVSS 3.x base score of 5.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-789.
Key facts
- Severity: Medium (CVSS 3.x base score 5.9)
- EPSS exploit prediction: 0% (23rd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-29706
- Weakness: CWE-789
- Affected product: Opentelemetry Opentelemetry.opamp.client
- Published:
- Last modified:
Description
OpenTelemetry.OpAmp.Client is the OpAMP client for OpenTelemetry .NET. Prior to 0.2.0-alpha.1, when receiving responses from the OpAMP server over HTTP, the OpAMP client allocates an unbounded buffer to read all bytes from the server, with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured OpAMP server is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned in the response. This vulnerability is fixed in 0.2.0-alpha.1.
Frequently asked questions
- What is CVE-2026-42348?
- OpenTelemetry.OpAmp.Client is the OpAMP client for OpenTelemetry .NET. Prior to 0.2.0-alpha.1, when receiving responses from the OpAMP server over HTTP, the OpAMP client allocates an unbounded buffer to read all bytes from the server, with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured OpAMP server is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned in the response. This vulnerability is fixed in 0.2.0-alpha.1.
- How severe is CVE-2026-42348?
- CVE-2026-42348 has a CVSS 3.x base score of 5.9, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2026-42348 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (23rd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-42348?
- CVE-2026-42348 affects Opentelemetry Opentelemetry.opamp.client. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-42348?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-42348 have an EU (EUVD) identifier?
- Yes. CVE-2026-42348 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-29706.
- When was CVE-2026-42348 published?
- CVE-2026-42348 was published on 2026-05-12 and last updated on 2026-06-17.
References
- https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4116
- https://github.com/open-telemetry/opentelemetry-dotnet-contrib/security/advisories/GHSA-w2jh-77fq-7gp8
Affected products (1)
- cpe:2.3:a:opentelemetry:opentelemetry.opamp.client:*:*:*:*:*:.net:*:*
Other CWE-789 vulnerabilities
- CVE-2021-34869 — High (CVSS 8.8): This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop…
- CVE-2021-34868 — High (CVSS 8.8): This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop…
- CVE-2024-20260 — High (CVSS 8.6): A vulnerability in the VPN and management web servers of the Cisco Adaptive Security Virtual Appliance (ASAv) and Cisco…
- CVE-2021-34867 — High (CVSS 8.2): This vulnerability allows local attackers to escalate privileges on affected installations of Parallels Desktop…
- CVE-2026-20048 — High (CVSS 7.7): A vulnerability in the Simple Network Management Protocol (SNMP) subsystem of Cisco Nexus 9000 Series Fabric Switches…
- CVE-2026-15053 — High (CVSS 7.5): Tanium addressed a denial of service vulnerability in Tanium Server.