You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
opentelemetry-go
About this tag
The opentelemetry-go tag covers discussions about the Go implementation of OpenTelemetry, an observability framework for traces, metrics, and logs. Recent content highlights two high-severity denial-of-service vulnerabilities: CVE-2026-39882, which involves OTLP HTTP telemetry exporters that can exhaust memory from malicious collector responses, and CVE-2026-29181, which exploits repeated multi-value baggage HTTP headers to cause excessive CPU and memory usage. Both issues affect instrumented Go services and are relevant to Windows environments running cloud-native or Kubernetes workloads. The tag emphasizes the importance of updating to patched versions and maintaining observability hygiene to prevent telemetry systems from becoming attack vectors.
Microsoft’s Security Update Guide entry for CVE-2026-39882, published after the OpenTelemetry-Go advisory in April 2026, flags a denial-of-service flaw in the Go OTLP HTTP exporters that can let a malicious or intercepted collector response exhaust memory in instrumented applications. The bug is...
Microsoft has listed CVE-2026-29181 as a high-severity denial-of-service flaw in OpenTelemetry-Go, affecting versions 1.36.0 through 1.40.0 and fixed in 1.41.0, where repeated multi-value baggage HTTP headers can trigger excessive CPU work and memory allocation in instrumented Go services. The...