CVE-2026-40894
OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3.
| CWE | CWE-789 |
| Vendor | open-telemetry |
| Product | opentelemetry-dotnet |
| Published | Apr 23, 2026 |
| Last Updated | Apr 23, 2026 |
Stay Ahead of the Next One
Get instant alerts for open-telemetry opentelemetry-dotnet
Be the first to know when new medium vulnerabilities affecting open-telemetry opentelemetry-dotnet are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
Affected Versions
open-telemetry / opentelemetry-dotnet
>= 0.5.0-beta.2, < 1.15.3
open-telemetry / OpenTelemetry.Api
>= 0.5.0-beta.2, < 1.15.3
open-telemetry / OpenTelemetry.Extensions.Propagators
>= 1.3.1, < 1.15.3
References
github.com: https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-g94r-2vxg-569j github.com: https://github.com/open-telemetry/opentelemetry-dotnet/pull/1048 github.com: https://github.com/open-telemetry/opentelemetry-dotnet/pull/3244 github.com: https://github.com/open-telemetry/opentelemetry-dotnet/pull/3309 github.com: https://github.com/open-telemetry/opentelemetry-dotnet/pull/533 github.com: https://github.com/open-telemetry/opentelemetry-dotnet/pull/7061