Medium severity5.3NVD Advisory· Published Apr 23, 2026· Updated Apr 29, 2026
CVE-2026-40891
CVE-2026-40891
Description
OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry over gRPC using the OpenTelemetry Protocol (OTLP), the exporter may parse a server-provided grpc-status-details-bin trailer during retry handling. Prior to the fix, a malformed trailer could encode an extremely large length-delimited protobuf field which was used directly for allocation, allowing excessive memory allocation and potential denial of service (DoS). This vulnerability is fixed in 1.15.2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
OpenTelemetry.Exporter.OpenTelemetryProtocolNuGet | >= 1.13.1, < 1.15.3 | 1.15.3 |
Affected products
1- cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:.net:*:*Range: >=1.13.1,<1.15.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/open-telemetry/opentelemetry-dotnet/pull/5980nvdIssue TrackingPatchWEB
- github.com/open-telemetry/opentelemetry-dotnet/pull/7064nvdIssue TrackingPatchWEB
- github.com/advisories/GHSA-mr8r-92fq-pj8pghsaADVISORY
- github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-mr8r-92fq-pj8pnvdVendor AdvisoryMitigationWEB
- nvd.nist.gov/vuln/detail/CVE-2026-40891ghsaADVISORY
News mentions
0No linked articles in our index yet.