CVE Catalog

CVE-2026-54712

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

15th percentile — higher than 15% of all known CVEs

Summary

In OpenTelemetry Java Instrumentation prior to version 2.27.0, the RMI context propagation payload reader limits the number of context entries but does not limit the aggregate size of the strings read from the stream. An attacker who can reach an RMI endpoint on an instrumented JVM can send an oversized context propagation payload, causing excessive memory allocation and potential denial of service. The issue affects only deployments where RMI instrumentation is enabled and an RMI endpoint is network-reachable.

Risk Assessment

The organization is at risk of a denial-of-service attack that can disrupt Java applications using OpenTelemetry instrumentation and RMI protocol. An attacker can exhaust server memory, leading to service unavailability.

Recommendation

Immediately update OpenTelemetry Java Instrumentation to version 2.27.0 or later. If an update is not possible, consider disabling RMI instrumentation or restricting network access to RMI endpoints.

Original NVD description (English source)

OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.27.0, the RMI context propagation payload reader limits the number of context entries but does not limit the aggregate size of the strings read from the stream. An attacker who can reach an RMI endpoint on an instrumented JVM can send an oversized context propagation payload. This can cause excessive memory allocation while the JVM reads the payload, potentially leading to denial of service. The issue affects only deployments where RMI instrumentation is enabled and an RMI endpoint is network-reachable. This issue has been fixed in version 2.27.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS