Vulnerability-Lookup

CVE-2026-29181 (GCVE-0-2026-29181)

Vulnerability from cvelistv5 – Published: 2026-04-07 20:29 – Updated: 2026-04-08 15:37

Title

OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)

Summary

OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

GitHub_M

References

URL

Tags

https://github.com/open-telemetry/opentelemetry-g…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	open-telemetry	opentelemetry-go	Affected: >= 1.36.0, < 1.41.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-29181",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-08T15:36:53.783712Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-08T15:37:02.444Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "opentelemetry-go",
          "vendor": "open-telemetry",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.36.0, \u003c 1.41.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-07T20:29:13.933Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475"
        }
      ],
      "source": {
        "advisory": "GHSA-mh2q-q3fh-2475",
        "discovery": "UNKNOWN"
      },
      "title": "OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-29181",
    "datePublished": "2026-04-07T20:29:13.933Z",
    "dateReserved": "2026-03-04T14:44:00.713Z",
    "dateUpdated": "2026-04-08T15:37:02.444Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-29181",
      "date": "2026-04-14",
      "epss": "0.00052",
      "percentile": "0.16328"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-29181\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-07T21:17:16.003\",\"lastModified\":\"2026-04-14T18:45:01.363\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:go:*:*\",\"versionStartIncluding\":\"1.36.0\",\"versionEndExcluding\":\"1.41.0\",\"matchCriteriaId\":\"A92EDFF5-4806-4B87-86F2-A3BE4A0A02A9\"}]}]}],\"references\":[{\"url\":\"https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-770\", \"lang\": \"en\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"attackComplexity\": \"LOW\", \"attackVector\": \"NETWORK\", \"availabilityImpact\": \"HIGH\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"scope\": \"UNCHANGED\", \"userInteraction\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"version\": \"3.1\"}}], \"references\": [{\"name\": \"https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475\"}], \"affected\": [{\"vendor\": \"open-telemetry\", \"product\": \"opentelemetry-go\", \"versions\": [{\"version\": \"\u003e= 1.36.0, \u003c 1.41.0\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-07T20:29:13.933Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0.\"}], \"source\": {\"advisory\": \"GHSA-mh2q-q3fh-2475\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-29181\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-08T15:36:53.783712Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-08T15:36:58.862Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-29181\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2026-03-04T14:44:00.713Z\", \"datePublished\": \"2026-04-07T20:29:13.933Z\", \"dateUpdated\": \"2026-04-08T15:37:02.444Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-MH2Q-Q3FH-2475

Vulnerability from github – Published: 2026-04-07 20:12 – Updated: 2026-04-07 22:16

Summary

OpenTelemetry-Go: multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)

Details

multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. this allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit.

severity

HIGH (availability / remote request amplification)

relevant links

repository: https://github.com/open-telemetry/opentelemetry-go
pinned callsite: https://github.com/open-telemetry/opentelemetry-go/blob/1ee4a4126dbdd1bc79e9fae072fa488beffac52a/propagation/baggage.go#L58

vulnerability details

pins: open-telemetry/opentelemetry-go@1ee4a4126dbdd1bc79e9fae072fa488beffac52a as-of: 2026-02-04 policy: direct (no program scope provided)

callsite: propagation/baggage.go:58 (extractMultiBaggage) attacker control: inbound HTTP request headers (many baggage field-values) → propagation.HeaderCarrier.Values("baggage") → repeated baggage.Parse + member aggregation

root cause

extractMultiBaggage iterates over all baggage header field-values and parses each one independently, then appends members into a shared slice. the 8192-byte parsing cap applies per header value, but the multi-value path repeats that work once per header line (bounded only by the server/proxy header byte limit).

impact

in a default net/http configuration (max header bytes 1mb), a single request with many baggage: header field-values can cause large per-request allocations and increased latency.

example from the attached PoC harness (darwin/arm64; 80 values; 40 requests):

canonical: per_req_alloc_bytes=10315458 and p95_ms=7
control: per_req_alloc_bytes=133429 and p95_ms=0

proof of concept

canonical:

mkdir -p poc
unzip poc.zip -d poc
cd poc
make test

output (excerpt):

[CALLSITE_HIT]: propagation/baggage.go:58 extractMultiBaggage
[PROOF_MARKER]: baggage_multi_value_amplification p95_ms=7 per_req_alloc_bytes=10315458 per_req_allocs=16165

control:

cd poc
make control

control output (excerpt):

[NC_MARKER]: baggage_single_value_baseline p95_ms=0 per_req_alloc_bytes=133429 per_req_allocs=480

expected: multiple baggage header field-values should be semantically equivalent to a single comma-joined baggage value and should not multiply parsing/alloc work within the effective header byte budget. actual: multiple baggage header field-values trigger repeated parsing and member aggregation, causing high per-request allocations and increased latency even when each individual value is within 8192 bytes.

fix recommendation

avoid repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing. one mitigation approach is to treat multi-values as a single comma-joined string and cap total parsed bytes (for example 8192 bytes total).

fix accepted when: under the default PoC harness settings, canonical stays within 2x of control for per_req_alloc_bytes and per_req_allocs, and p95_ms stays below 2ms.

poc.zip PR_DESCRIPTION.md

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.40.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "go.opentelemetry.io/otel/baggage"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.36.0"
            },
            {
              "fixed": "1.41.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.40.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "go.opentelemetry.io/otel/propagation"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.36.0"
            },
            {
              "fixed": "1.41.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-29181"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-07T20:12:57Z",
    "nvd_published_at": "2026-04-07T21:17:16Z",
    "severity": "HIGH"
  },
  "details": "multi-value `baggage:` header extraction parses each header field-value independently and aggregates members across values. this allows an attacker to amplify cpu and allocations by sending many `baggage:` header lines, even when each individual value is within the 8192-byte per-value parse limit.\n\n## severity\n\nHIGH (availability / remote request amplification)\n\n## relevant links\n\n- repository: https://github.com/open-telemetry/opentelemetry-go\n- pinned callsite: https://github.com/open-telemetry/opentelemetry-go/blob/1ee4a4126dbdd1bc79e9fae072fa488beffac52a/propagation/baggage.go#L58\n\n## vulnerability details\n\n**pins:** open-telemetry/opentelemetry-go@1ee4a4126dbdd1bc79e9fae072fa488beffac52a\n**as-of:** 2026-02-04\n**policy:** direct (no program scope provided)\n\n**callsite:** propagation/baggage.go:58 (`extractMultiBaggage`)\n**attacker control:** inbound HTTP request headers (many `baggage` field-values) \u2192 `propagation.HeaderCarrier.Values(\"baggage\")` \u2192 repeated `baggage.Parse` + member aggregation\n\n### root cause\n\n`extractMultiBaggage` iterates over all `baggage` header field-values and parses each one independently, then appends members into a shared slice. the 8192-byte parsing cap applies per header value, but the multi-value path repeats that work once per header line (bounded only by the server/proxy header byte limit).\n\n### impact\n\nin a default `net/http` configuration (max header bytes 1mb), a single request with many `baggage:` header field-values can cause large per-request allocations and increased latency.\n\nexample from the attached PoC harness (darwin/arm64; 80 values; 40 requests):\n\n- canonical: `per_req_alloc_bytes=10315458` and `p95_ms=7`\n- control: `per_req_alloc_bytes=133429` and `p95_ms=0`\n\n## proof of concept\n\ncanonical:\n\n```bash\nmkdir -p poc\nunzip poc.zip -d poc\ncd poc\nmake test\n```\n\noutput (excerpt):\n\n```\n[CALLSITE_HIT]: propagation/baggage.go:58 extractMultiBaggage\n[PROOF_MARKER]: baggage_multi_value_amplification p95_ms=7 per_req_alloc_bytes=10315458 per_req_allocs=16165\n```\n\ncontrol:\n\n```bash\ncd poc\nmake control\n```\n\ncontrol output (excerpt):\n\n```\n[NC_MARKER]: baggage_single_value_baseline p95_ms=0 per_req_alloc_bytes=133429 per_req_allocs=480\n```\n\n**expected:** multiple `baggage` header field-values should be semantically equivalent to a single comma-joined `baggage` value and should not multiply parsing/alloc work within the effective header byte budget.\n**actual:** multiple `baggage` header field-values trigger repeated parsing and member aggregation, causing high per-request allocations and increased latency even when each individual value is within 8192 bytes.\n\n## fix recommendation\n\navoid repeated parsing across multi-values by enforcing a global budget and/or normalizing multi-values into a single value before parsing. one mitigation approach is to treat multi-values as a single comma-joined string and cap total parsed bytes (for example 8192 bytes total).\n\n**fix accepted when:** under the default PoC harness settings, canonical stays within 2x of control for `per_req_alloc_bytes` and `per_req_allocs`, and `p95_ms` stays below 2ms.\n\n\n[poc.zip](https://github.com/user-attachments/files/25079945/poc.zip)\n[PR_DESCRIPTION.md](https://github.com/user-attachments/files/25079946/PR_DESCRIPTION.md)",
  "id": "GHSA-mh2q-q3fh-2475",
  "modified": "2026-04-07T22:16:39Z",
  "published": "2026-04-07T20:12:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29181"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-go/pull/7880"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-go/commit/aa1894e09e3fe66860c7885cb40f98901b35277f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/open-telemetry/opentelemetry-go"
    },
    {
      "type": "WEB",
      "url": "https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.41.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenTelemetry-Go: multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)"
}

FKIE_CVE-2026-29181

Vulnerability from fkie_nvd - Published: 2026-04-07 21:17 - Updated: 2026-04-14 18:45

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	opentelemetry	opentelemetry	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:go:*:*",
              "matchCriteriaId": "A92EDFF5-4806-4B87-86F2-A3BE4A0A02A9",
              "versionEndExcluding": "1.41.0",
              "versionStartIncluding": "1.36.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0."
    }
  ],
  "id": "CVE-2026-29181",
  "lastModified": "2026-04-14T18:45:01.363",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-07T21:17:16.003",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

MSRC_CVE-2026-29181

Vulnerability from csaf_microsoft - Published: 2026-04-02 00:00 - Updated: 2026-04-11 01:03

Summary

OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)

Notes

Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2026-29181

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-770 - Allocation of Resources Without Limits or Throttling

None Available There is no fix available for this vulnerability as of now

References

URL

Category

	https://msrc.microsoft.com/csaf/vex/2026/msrc_cve…	self
	https://support.microsoft.com/lifecycle	external
	https://www.first.org/cvss	external
	https://msrc.microsoft.com/csaf/vex/2026/msrc_cve…	self

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2026-29181 OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification) - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-29181.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)",
    "tracking": {
      "current_release_date": "2026-04-11T01:03:43.000Z",
      "generator": {
        "date": "2026-04-11T07:03:19.469Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2026-29181",
      "initial_release_date": "2026-04-02T00:00:00.000Z",
      "revision_history": [
        {
          "date": "2026-04-11T01:03:43.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              },
              {
                "category": "product_version",
                "name": "2.0",
                "product": {
                  "name": "CBL Mariner 2.0",
                  "product_id": "17086"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 azurelinux-image-tools 1.2.0-2",
                "product": {
                  "name": "azl3 azurelinux-image-tools 1.2.0-2",
                  "product_id": "4"
                }
              }
            ],
            "category": "product_name",
            "name": "azurelinux-image-tools"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 cloud-provider-kubevirt 0.5.1-3",
                "product": {
                  "name": "azl3 cloud-provider-kubevirt 0.5.1-3",
                  "product_id": "11"
                }
              }
            ],
            "category": "product_name",
            "name": "cloud-provider-kubevirt"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 containerd2 2.0.0-18",
                "product": {
                  "name": "azl3 containerd2 2.0.0-18",
                  "product_id": "10"
                }
              }
            ],
            "category": "product_name",
            "name": "containerd2"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 containerized-data-importer 1.62.0-2",
                "product": {
                  "name": "azl3 containerized-data-importer 1.62.0-2",
                  "product_id": "9"
                }
              }
            ],
            "category": "product_name",
            "name": "containerized-data-importer"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 coredns 1.11.4-15",
                "product": {
                  "name": "azl3 coredns 1.11.4-15",
                  "product_id": "3"
                }
              }
            ],
            "category": "product_name",
            "name": "coredns"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 cri-tools 1.32.0-4",
                "product": {
                  "name": "azl3 cri-tools 1.32.0-4",
                  "product_id": "8"
                }
              }
            ],
            "category": "product_name",
            "name": "cri-tools"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "cbl2 etcd 3.5.28-1",
                "product": {
                  "name": "cbl2 etcd 3.5.28-1",
                  "product_id": "2"
                }
              },
              {
                "category": "product_version_range",
                "name": "azl3 etcd 3.5.28-1",
                "product": {
                  "name": "azl3 etcd 3.5.28-1",
                  "product_id": "1"
                }
              }
            ],
            "category": "product_name",
            "name": "etcd"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 gh 2.62.0-13",
                "product": {
                  "name": "azl3 gh 2.62.0-13",
                  "product_id": "7"
                }
              }
            ],
            "category": "product_name",
            "name": "gh"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 keda 2.14.1-11",
                "product": {
                  "name": "azl3 keda 2.14.1-11",
                  "product_id": "6"
                }
              }
            ],
            "category": "product_name",
            "name": "keda"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "azl3 telegraf 1.31.0-17",
                "product": {
                  "name": "azl3 telegraf 1.31.0-17",
                  "product_id": "5"
                }
              }
            ],
            "category": "product_name",
            "name": "telegraf"
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 azurelinux-image-tools 1.2.0-2 as a component of Azure Linux 3.0",
          "product_id": "17084-4"
        },
        "product_reference": "4",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 cloud-provider-kubevirt 0.5.1-3 as a component of Azure Linux 3.0",
          "product_id": "17084-11"
        },
        "product_reference": "11",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 containerd2 2.0.0-18 as a component of Azure Linux 3.0",
          "product_id": "17084-10"
        },
        "product_reference": "10",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 containerized-data-importer 1.62.0-2 as a component of Azure Linux 3.0",
          "product_id": "17084-9"
        },
        "product_reference": "9",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 coredns 1.11.4-15 as a component of Azure Linux 3.0",
          "product_id": "17084-3"
        },
        "product_reference": "3",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 cri-tools 1.32.0-4 as a component of Azure Linux 3.0",
          "product_id": "17084-8"
        },
        "product_reference": "8",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 etcd 3.5.28-1 as a component of CBL Mariner 2.0",
          "product_id": "17086-2"
        },
        "product_reference": "2",
        "relates_to_product_reference": "17086"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 etcd 3.5.28-1 as a component of Azure Linux 3.0",
          "product_id": "17084-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 gh 2.62.0-13 as a component of Azure Linux 3.0",
          "product_id": "17084-7"
        },
        "product_reference": "7",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 keda 2.14.1-11 as a component of Azure Linux 3.0",
          "product_id": "17084-6"
        },
        "product_reference": "6",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 telegraf 1.31.0-17 as a component of Azure Linux 3.0",
          "product_id": "17084-5"
        },
        "product_reference": "5",
        "relates_to_product_reference": "17084"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-29181",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "notes": [
        {
          "category": "general",
          "text": "GitHub_M",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "known_affected": [
          "17084-4",
          "17084-11",
          "17084-10",
          "17084-9",
          "17084-3",
          "17084-8",
          "17086-2",
          "17084-1",
          "17084-7",
          "17084-6",
          "17084-5"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2026-29181 OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification) - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2026/msrc_cve-2026-29181.json"
        }
      ],
      "remediations": [
        {
          "category": "none_available",
          "date": "2026-04-11T01:03:43.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-4"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-04-11T01:03:43.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-11"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-04-11T01:03:43.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-10"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-04-11T01:03:43.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-9"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-04-11T01:03:43.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-3"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-04-11T01:03:43.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-8"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-04-11T01:03:43.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17086-2"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-04-11T01:03:43.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-1"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-04-11T01:03:43.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-7"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-04-11T01:03:43.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-6"
          ]
        },
        {
          "category": "none_available",
          "date": "2026-04-11T01:03:43.000Z",
          "details": "There is no fix available for this vulnerability as of now",
          "product_ids": [
            "17084-5"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "environmentalsScore": 0.0,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 7.5,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "17084-4",
            "17084-11",
            "17084-10",
            "17084-9",
            "17084-3",
            "17084-8",
            "17086-2",
            "17084-1",
            "17084-7",
            "17084-6",
            "17084-5"
          ]
        }
      ],
      "title": "OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-29181 (GCVE-0-2026-29181)

GHSA-MH2Q-Q3FH-2475

severity

relevant links

vulnerability details

root cause

impact

proof of concept

fix recommendation

FKIE_CVE-2026-29181

MSRC_CVE-2026-29181

Tags

Sightings

Nomenclature