CVE-2026-40891

Summary

OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry over gRPC using the OpenTelemetry Protocol (OTLP), the exporter may parse a server-provided grpc-status-details-bin trailer during retry handling. Prior to the fix, a malformed trailer could encode an extremely large length-delimited protobuf field which was used directly for allocation, allowing excessive memory allocation and potential denial of service (DoS). This vulnerability is fixed in 1.15.2.

Affected Software

VendorProductVersion RangeStatus
open-telemetryopentelemetry-dotnet>= 1.13.1, < 1.15.3affected
open-telemetryOpenTelemetry.Exporter.OpenTelemetryProtocol>= 1.13.1, < 1.15.3affected

Weaknesses

  • CWE-789: CWE-789: Memory Allocation with Excessive Size Value

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References