Listen to this Post
The CVE-2026-41173 vulnerability resides in two OpenTelemetry .NET components: `OpenTelemetry.Sampler.AWS` and OpenTelemetry.Resources.AWS. Both components are susceptible to a Denial of Service (DoS) attack due to unbounded memory allocation when handling HTTP responses.
How CVE-2026-41173 Works
The vulnerability manifests when these components interact with potentially untrusted endpoints, as detailed below:
1. Root Cause in OpenTelemetry.Sampler.AWS: The `AWSXRaySamplerClient.DoRequestAsync` method uses `HttpClient.SendAsync` followed by ReadAsStringAsync().
2. Unbounded Memory Allocation: This approach reads the entire HTTP response body into a single, in-memory string without any size limitations.
3. Configurable Endpoint: The sampling endpoint is configurable via AWSXRayRemoteSamplerBuilder.SetEndpoint, with a default value of http://localhost:2000`.OutOfMemoryException
4. Attacker's Leverage: An attacker who controls the configured endpoint, or can intercept traffic to it (Man-in-the-Middle), can return an arbitrarily large response body.
5. Impact of Large Response: This unbounded response causes excessive heap allocation in the consuming process, leading to high transient memory pressure.
6. Potential Consequences: The excessive memory pressure can cause garbage-collection stalls or an, which terminates the process.OpenTelemetry.Resources.AWS
7. Root Cause in: TheAWSEC2Detector,AWSECSDetector, and `AWSEKSDetector` classes make HTTP requests to AWS metadata services.http://localhost:2000`, which limits remote exposure.
8. Attack Vector: An attacker who controls these endpoints or intercepts the traffic can similarly return an oversized HTTP response body.
9. Denial of Service: In both cases, the result is a Denial of Service (DoS), destabilizing or crashing the application.
10. Mitigating Factors: The default X-Ray sampling endpoint is
11. Patches: The vulnerability is fixed in `OpenTelemetry.Sampler.AWS` version `0.1.0-alpha.8` and `OpenTelemetry.Resources.AWS` version 1.15.1.
12. Fix Implementation: The patches introduce size limits to `HttpClient` requests, streaming the response body instead of buffering it entirely in memory.
13. Workaround: Ensure the X-Ray sampling endpoint is not accessible to untrusted parties and use network-level controls to prevent MitM attacks.
14. CVSS Score: This vulnerability is classified as CRITICAL due to its potential for remote, unauthenticated Denial of Service.
DailyCVE Form
Platform: `OpenTelemetry.NET`
Version: `<0.1.0-alpha.8`
Vulnerability: `Unbounded HTTP Read`
Severity: `Critical`
Date: `2026-04-23`
Prediction: `Patched 2026-04-14`
What Undercode Say
Check vulnerable versions dotnet list package --outdated | grep -E "(OpenTelemetry.Sampler.AWS|OpenTelemetry.Resources.AWS)" Verify memory pressure from large responses curl -X GET http://localhost:2000 -H "Content-Length: 1000000000" Upgrade to patched versions dotnet add package OpenTelemetry.Sampler.AWS --version 0.1.0-alpha.8 dotnet add package OpenTelemetry.Resources.AWS --version 1.15.1
Exploit
- Identify a target application using vulnerable `OpenTelemetry` packages.
- Act as a Man-in-the-Middle (MitM) to intercept HTTP requests to the configured sampling endpoint (default:
localhost:2000) or metadata service. - Return an HTTP response with an extremely large body (e.g., several gigabytes).
- The vulnerable method `ReadAsStringAsync()` will read the entire response into memory.
- The application will experience high memory pressure, leading to garbage collection stalls.
- Eventually, an `OutOfMemoryException` is thrown, crashing the application and achieving a Denial of Service (DoS).
Protection from this CVE
Upgrade: Immediately update to `OpenTelemetry.Sampler.AWS` version `0.1.0-alpha.8` or higher and `OpenTelemetry.Resources.AWS` version `1.15.1` or higher.
Network Segmentation: Isolate the sampling endpoint (e.g., localhost:2000) to prevent remote access by untrusted parties.
Traffic Encryption: Enforce mTLS or service mesh to prevent Man-in-the-Middle (MitM) attacks on the communication channel.
Reverse Proxy: Place any remote endpoint behind a reverse proxy that enforces a response body size limit.
Monitor: Observe memory utilization and HTTP response sizes from AWS metadata services.
Impact
Primary: Remote, unauthenticated attackers can cause a Denial of Service (DoS) by crashing the application or service.
Secondary: Excessive memory consumption can lead to performance degradation for other services running on the same host.
Business: Application downtime, increased operational costs for auto-scaling and recovery, and potential data loss if the application crashes during a write operation.
Risk: Critical, as the attack can be performed without any prior authentication or privileges, simply by returning a large HTTP response.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

