Home

Description

OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3.

PUBLISHED Reserved 2026-04-15 | Published 2026-04-23 | Updated 2026-04-23 | Assigner GitHub_M




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Problem types

CWE-789: Memory Allocation with Excessive Size Value

Product status

>= 0.5.0-beta.2, < 1.15.3
affected

>= 0.5.0-beta.2, < 1.15.3
affected

>= 1.3.1, < 1.15.3
affected

References

github.com/...dotnet/security/advisories/GHSA-g94r-2vxg-569j

github.com/open-telemetry/opentelemetry-dotnet/pull/1048

github.com/open-telemetry/opentelemetry-dotnet/pull/3244

github.com/open-telemetry/opentelemetry-dotnet/pull/3309

github.com/open-telemetry/opentelemetry-dotnet/pull/533

github.com/open-telemetry/opentelemetry-dotnet/pull/7061

cve.org (CVE-2026-40894)

nvd.nist.gov (CVE-2026-40894)

Download JSON