{
  "threat_severity" : "Important",
  "public_date" : "2026-04-07T20:29:13Z",
  "bugzilla" : {
    "description" : "github.com/open-telemetry/opentelemetry-go: OpenTelemetry-Go: Denial of Service via crafted multi-value baggage headers",
    "id" : "2456252",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2456252"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-770",
  "details" : [ "OpenTelemetry-Go is the Go implementation of OpenTelemetry. From 1.36.0 to 1.40.0, multi-value baggage: header extraction parses each header field-value independently and aggregates members across values. This allows an attacker to amplify cpu and allocations by sending many baggage: header lines, even when each individual value is within the 8192-byte per-value parse limit. This vulnerability is fixed in 1.41.0.", "A flaw was found in OpenTelemetry-Go, the Go implementation of OpenTelemetry. A remote attacker can exploit this vulnerability by sending multiple 'baggage' header lines. The system's independent parsing and aggregation of each header field-value across multiple values can lead to amplified CPU and memory allocations, resulting in a Denial of Service (DoS)." ],
  "affected_release" : [ {
    "product_name" : "multicluster engine for Kubernetes 2.11",
    "release_date" : "2026-06-11T00:00:00Z",
    "advisory" : "RHSA-2026:25271",
    "cpe" : "cpe:/a:redhat:multicluster_engine:2.11::el9",
    "package" : "multicluster-engine/hypershift-addon-rhel9-operator:1780917881"
  } ],
  "package_state" : [ {
    "product_name" : "Multicluster Engine for Kubernetes",
    "fix_state" : "Under investigation",
    "package_name" : "multicluster-engine/managedcluster-import-controller-rhel9",
    "cpe" : "cpe:/a:redhat:multicluster_engine"
  }, {
    "product_name" : "Multicluster Engine for Kubernetes",
    "fix_state" : "Under investigation",
    "package_name" : "multicluster-engine/multicloud-manager-rhel9",
    "cpe" : "cpe:/a:redhat:multicluster_engine"
  }, {
    "product_name" : "Multicluster Engine for Kubernetes",
    "fix_state" : "Under investigation",
    "package_name" : "multicluster-engine/placement-rhel9",
    "cpe" : "cpe:/a:redhat:multicluster_engine"
  }, {
    "product_name" : "Multicluster Engine for Kubernetes",
    "fix_state" : "Under investigation",
    "package_name" : "multicluster-engine/registration-operator-rhel9",
    "cpe" : "cpe:/a:redhat:multicluster_engine"
  }, {
    "product_name" : "Multicluster Engine for Kubernetes",
    "fix_state" : "Under investigation",
    "package_name" : "multicluster-engine/registration-rhel9",
    "cpe" : "cpe:/a:redhat:multicluster_engine"
  }, {
    "product_name" : "Multicluster Engine for Kubernetes",
    "fix_state" : "Under investigation",
    "package_name" : "multicluster-engine/work-rhel9",
    "cpe" : "cpe:/a:redhat:multicluster_engine"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-29181\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-29181\nhttps://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-mh2q-q3fh-2475" ],
  "name" : "CVE-2026-29181",
  "csaw" : false
}