CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-54712

mediumCVSS 5.3covered by 1 sourcefirst seen 2026-07-01
OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.27.0, the RMI context propagation payload reader limits the number of context entries but does not limit the aggregate size of the strings read from the stream. An attacker who can reach an RMI endpoint on an instrumented JVM can send an oversized context propagation payload. This can cause excessive memory allocation while the JVM reads the payload, potentially leading to denial of service. The issue affects only deployments where RMI instrumentation is enabled and an RMI endpoint is network-reachable. This issue has been fixed in version 2.27.0.

⚡ Watch CVE-2026-54712

Get an email if CVE-2026-54712 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-54712

CVE.org record

Embed the live status

CVE-2026-54712 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-54712 status](https://www.csirts.com/badge/CVE-2026-54712)](https://www.csirts.com/cve/CVE-2026-54712)