CVE-2026-40182

April 24, 2026, 2:41 p.m.

5.3
Medium

Description

OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format (OTLP), if the request results in a unsuccessful request (i.e. HTTP 4xx or 5xx), the response is read into memory with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured back-end/collector endpoint is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned by the response. This vulnerability is fixed in 1.15.2.

Product(s) Impacted

Vendor Product Versions
Opentelemetry
  • Opentelemetry Dotnet
  • 1.13.1-1.15.1, *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-789
Memory Allocation with Excessive Size Value
The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a opentelemetry opentelemetry_dotnet 1.13.1-1.15.1 / / / / / / /
a opentelemetry opentelemetry_dotnet / / / / / / / /

References

https://github.com/open-telemetry/opentelemetry-dotnet/pull/6564
https://github.com/open-telemetry/opentelemetry-dotnet/pull/7017
https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-q834-8qmm-v933
https://github.com/open-telemetry/opentelemetry-proto/pull/781

Tags

[email protected]
CWE-789
2026-04-23
CVE-2026-40182

CVSS Score

5.3 / 10

CVSS Data - 3.1

  • Attack Vector: ADJACENT_NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH

    • CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

    View Vector String

Timeline

Published: April 23, 2026, 6:16 p.m.
Last Modified: April 24, 2026, 2:41 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.