Bug 2456727 (CVE-2026-39882)

Summary: CVE-2026-39882 github.com/open-telemetry/opentelemetry-go: golang: OpenTelemetry-Go: Memory exhaustion via uncapped HTTP response body reading
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: clusk, ytale
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in OpenTelemetry-Go. The otlp HTTP exporters read the full HTTP response body into an in-memory buffer without a size cap. A remote attacker, by controlling the collector endpoint or performing a man-in-the-middle (MITM) attack on the exporter connection, can exploit this to cause memory exhaustion. This vulnerability can lead to a Denial of Service (DoS) for the affected system.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-04-08 21:02:27 UTC
OpenTelemetry-Go is the Go implementation of OpenTelemetry. Prior to 1.43.0, the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory bytes.Buffer without a size cap. This is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection). This vulnerability is fixed in 1.43.0.