CVE Catalog

CVE-2026-41178

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.42%

33th percentile - higher than 33% of all known CVEs

Summary

OpenTelemetry-Go versions 1.41.0 and 1.43.0 removed raw-length rejection, causing the `Parse` function to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs.

Risk Assessment

Organizations may be vulnerable to DoS attacks that can lead to service unavailability due to processing oversized or invalid headers.

Recommendation

It is recommended to upgrade to versions 1.42.0 or 1.44.0, which fix the issue.

Original NVD description (English source)

OpenTelemetry-Go is the Go implementation of OpenTelemetry. Versions 1.41.0 and 1.43.0 removed raw-length rejection and it causes `Parse` to process arbitrarily large/invalid baggage headers and log errors, enabling DoS via oversized inputs. Versions 1.42.0 and 1.44.0 fix the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS