CVE-2026-40182
Description
OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format (OTLP), if the request results in a unsuccessful request (i.e. HTTP 4xx or 5xx), the response is read into memory with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured back-end/collector endpoint is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned by the response. This vulnerability is fixed in 1.15.2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
OpenTelemetry.Exporter.OpenTelemetryProtocolNuGet | >= 1.13.1, < 1.15.2 | 1.15.2 |
Affected products
1- cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:.net:*:*Range: >=1.13.1,<1.15.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/open-telemetry/opentelemetry-dotnet/pull/6564nvdIssue TrackingPatchWEB
- github.com/open-telemetry/opentelemetry-dotnet/pull/7017nvdIssue TrackingPatchWEB
- github.com/advisories/GHSA-q834-8qmm-v933ghsaADVISORY
- github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-q834-8qmm-v933nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-40182ghsaADVISORY
- github.com/open-telemetry/opentelemetry-proto/pull/781nvdIssue TrackingWEB
News mentions
0No linked articles in our index yet.