The flaw, characterized as CWE-789 Uncontrolled Memory Allocation, resides in the dotnet telemetry framework used for exporting telemetry via gRPC. Between releases 1.13.1 and just before 1.15.2, the exporter processes the server‑provided grpc‑status‑details‑bin trailer when a retry occurs. A malformed trailer can contain an extremely large length‑delimited protobuf field; that field’s size is used directly to allocate memory. An attacker who can supply such a trailer can force the exporter to allocate an excessive amount of memory, exhausting system resources and causing the exporter process or the host to become unresponsive.

Vendors affected include OpenTelemetry for .NET, specifically the OpenTelemetry.Exporter.OpenTelemetryProtocol and opentelemetry-dotnet packages. All versions from 1.13.1 through to just before 1.15.2 are vulnerable. The recommendation is to upgrade to 1.15.2 or newer.

The CVSS base score is 5.3, indicating a moderate severity. The EPSS score is below 1%, suggesting a low probability of exploitation in the current period, and the vulnerability is not listed in the CISA KEV catalog. Attackers can likely exploit the weakness remotely by sending crafted grpc‑status‑details‑bin trailers during OTLP retry handling, as the failure occurs when parsing data received from a server over the network. Because the problem is triggered only during retry logic, an attacker must induce at least one retry and supply a malicious trailer to trigger the excessive allocation. It is a denial‑of‑service attack that disrupts availability.