Vulnerability DatabaseCVE-2026-41173
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-41173
Published:April 23, 2026
Updated:May 18, 2026
The AWS X-Ray Remote Sampler package provides a sampler which can get sampling configurations from AWS X-Ray. Prior to 0.1.0-alpha.8, OpenTelemetry.Sampler.AWS reads unbounded HTTP response bodies from a configured AWS X-Ray remote sampling endpoint into memory. AWSXRaySamplerClient.DoRequestAsync called HttpClient.SendAsync followed by ReadAsStringAsync(), which materializes the entire HTTP response body into a single in-memory string with no size limit. The sampling endpoint is configurable via AWSXRayRemoteSamplerBuilder.SetEndpoint (default: http://localhost:2000). An attacker who controls the configured endpoint, or who can intercept traffic to it (MitM), can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process. This vulnerability is fixed in 0.1.0-alpha.8.
Affected Packages
OpenTelemetry.Resources.AWS (DOT_NET):
Affected version(s) >=1.5.0.128 <1.15.1
Fix Suggestion:
Update to version 1.15.1
https://github.com/open-telemetry/opentelemetry-dotnet-contrib.git (GITHUB):
Affected version(s) >=Resources.AWS-1.5.0-beta.1 <Resources.AWS-1.15.1
Fix Suggestion:
Update to version Resources.AWS-1.15.1
opentelemetry.resources.aws (NUGET):
Affected version(s) >=1.5.0-beta.1 <1.15.1
Fix Suggestion:
Update to version 1.15.1
opentelemetry.sampler.aws (NUGET):
Affected version(s) >=0.1.0-alpha.1 <0.1.0-alpha.8
Fix Suggestion:
Update to version 0.1.0-alpha.8
Related Resources (5)
https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4122
https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4100
https://github.com/open-telemetry/opentelemetry-dotnet-contrib
https://nvd.nist.gov/vuln/detail/CVE-2026-41173
https://github.com/open-telemetry/opentelemetry-dotnet-contrib/security/advisories/GHSA-28xm-prxc-5866
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.2
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.9
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Allocation of Resources Without Limits or Throttling
CWE-770
EPSS
Base Score:
0.02