CVE-2026-40894 - Vulnerability Details

- OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers

Description

OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3.

Published: 2026-04-23

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability lies in the baggage, B3 and Jaeger header parsing logic of the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators libraries, where malformed or deliberately crafted propagation headers can trigger excessive memory allocation. This weakness falls under CWE-789 – Memory Exhaustion. Although the CVE description does not specify the exact attack vector, it is inferred that an attacker could send malicious OpenTelemetry headers to a .NET application that processes these headers, resulting in a denial of service when the application runs out of memory or becomes unresponsive.

Affected Systems

Vulnerable builds include OpenTelemetry.Api versions 0.5.0‑beta.2 through 1.15.2 and OpenTelemetry.Extensions.Propagators versions 1.3.1 through 1.15.2. Applications built against these NuGet packages could be exposed if they parse OpenTelemetry propagation headers. The issue is fixed in version 1.15.3 and later of both libraries.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact. The EPSS score of less than 1 % suggests a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, if an application receives untrusted network traffic containing OpenTelemetry headers, an attacker could potentially trigger the excessive memory allocation, causing a local denial of service. Updating the library mitigates the issue.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

open-telemetry

opentelemetry-dotnet

affected

Version	Status	Constraints
`>= 0.5.0-beta.2, < 1.15.3`	affected	—

open-telemetry

OpenTelemetry.Api

affected

Version	Status	Constraints
`>= 0.5.0-beta.2, < 1.15.3`	affected	—

open-telemetry

OpenTelemetry.Extensions.Propagators

affected

Version	Status	Constraints
`>= 1.3.1, < 1.15.3`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:opentelemetry:opentelemetry::::::.net::*
	cpe:2.3:a:opentelemetry:opentelemetry.api::::::.net::*
	cpe:2.3:a:opentelemetry:opentelemetry.extensions.propagators::::::::

No data.

Vendor Product Confidence Versions

Opentelemetry

Opentelemetry-dotnet

100%

Version	Status	Scheme	Platform
`[0.5.0-beta.2,1.15.3)`	affected	semver	—

Opentelemetry

Opentelemetry.api

100%

Version	Status	Scheme	Platform
`[0.5.0-beta.2,1.15.3)`	affected	semver	—

Opentelemetry

Opentelemetry.extensions.propagators

100%

Version	Status	Scheme	Platform
`[1.3.1,1.15.3)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators to version 1.15.3 or newer.
If upgrading is not possible immediately, configure the application to reject or limit OpenTelemetry propagation headers, preventing the processing of overly large or malicious headers.
Apply rate limiting or request validation on incoming traffic to reduce the impact of any residual memory allocation attempts.

Generated by OpenCVE AI on April 28, 2026 at 14:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-g94r-2vxg-569j	OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00026.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/open-telemetry/opentelemetry-dotnet/pull/1048
https://github.com/open-telemetry/opentelemetry-dotnet/pull/3244
https://github.com/open-telemetry/opentelemetry-dotnet/pull/3309
https://github.com/open-telemetry/opentelemetry-dotnet/pull/533
https://github.com/open-telemetry/opentelemetry-dotnet/pull/7061
https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-g94r-2vxg-569j

History

Tue, 28 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Opentelemetry opentelemetry
CPEs		cpe:2.3:a:opentelemetry:opentelemetry.api::::::.net::* cpe:2.3:a:opentelemetry:opentelemetry.extensions.propagators:::::::: cpe:2.3:a:opentelemetry:opentelemetry::::::.net::*
Vendors & Products		Opentelemetry opentelemetry

Tue, 28 Apr 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Opentelemetry Opentelemetry opentelemetry-dotnet Opentelemetry opentelemetry.api Opentelemetry opentelemetry.extensions.propagators
Vendors & Products		Opentelemetry Opentelemetry opentelemetry-dotnet Opentelemetry opentelemetry.api Opentelemetry opentelemetry.extensions.propagators

Thu, 23 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 23 Apr 2026 18:45:00 +0000

Type	Values Removed	Values Added
Description		OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3.
Title		OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers
Weaknesses		CWE-789
References		https://github.com/open-telemetry/opentelemetry-dotnet/pull/1048 https://github.com/open-telemetry/opentelemetry-dotnet/pull/3244 https://github.com/open-telemetry/opentelemetry-dotnet/pull/3309 https://github.com/open-telemetry/opentelemetry-dotnet/pull/533 https://github.com/open-telemetry/opentelemetry-dotnet/pull/7061 https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-g94r-2vxg-569j
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

Subscriptions

Opentelemetry Opentelemetry Opentelemetry-dotnet Opentelemetry.api Opentelemetry.extensions.propagators

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-23T18:03:28.211Z

Updated: 2026-04-23T19:22:47.268Z

Reserved: 2026-04-15T16:37:22.766Z

Link: CVE-2026-40894

Vulnrichment

Updated: 2026-04-23T19:22:42.774Z

NVD

Status : Analyzed

Published: 2026-04-23T19:17:28.810

Modified: 2026-04-28T19:34:26.253

Link: CVE-2026-40894

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T15:00:14Z

Weaknesses

CWE-789

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object