cve-2026-39882

CVE-2026-39882 is a denial-of-service vulnerability in the Go OTLP HTTP exporters used by OpenTelemetry. A malicious or intercepted collector response can exhaust memory in instrumented applications, potentially causing service disruption. Microsoft's Security Update Guide flagged this flaw after the OpenTelemetry-Go advisory in April 2026. While not a Windows kernel or remote-code-execution issue, it highlights risks in observability infrastructure. Discussions on WindowsForum cover mitigation strategies, including the 4 MiB limit fix, and emphasize the importance of updating OpenTelemetry components to prevent memory exhaustion attacks.