CVE-2026-54712
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk15th percentile — higher than 15% of all known CVEs
Summary
In OpenTelemetry Java Instrumentation prior to version 2.27.0, the RMI context propagation payload reader limits the number of context entries but does not limit the aggregate size of the strings read from the stream. An attacker who can reach an RMI endpoint on an instrumented JVM can send an oversized context propagation payload, causing excessive memory allocation and potential denial of service. The issue affects only deployments where RMI instrumentation is enabled and an RMI endpoint is network-reachable.
Risk Assessment
The organization is at risk of a denial-of-service attack that can disrupt Java applications using OpenTelemetry instrumentation and RMI protocol. An attacker can exhaust server memory, leading to service unavailability.
Recommendation
Immediately update OpenTelemetry Java Instrumentation to version 2.27.0 or later. If an update is not possible, consider disabling RMI instrumentation or restricting network access to RMI endpoints.
Original NVD description (English source)
OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.27.0, the RMI context propagation payload reader limits the number of context entries but does not limit the aggregate size of the strings read from the stream. An attacker who can reach an RMI endpoint on an instrumented JVM can send an oversized context propagation payload. This can cause excessive memory allocation while the JVM reads the payload, potentially leading to denial of service. The issue affects only deployments where RMI instrumentation is enabled and an RMI endpoint is network-reachable. This issue has been fixed in version 2.27.0.

