Description
OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3.
Published: 2026-04-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via memory exhaustion
Action: Apply Patch
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g94r-2vxg-569j OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Opentelemetry opentelemetry
CPEs cpe:2.3:a:opentelemetry:opentelemetry.api:*:*:*:*:*:.net:*:*
cpe:2.3:a:opentelemetry:opentelemetry.extensions.propagators:*:*:*:*:*:*:*:*
cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:.net:*:*
Vendors & Products Opentelemetry opentelemetry

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Opentelemetry
Opentelemetry opentelemetry-dotnet
Opentelemetry opentelemetry.api
Opentelemetry opentelemetry.extensions.propagators
Vendors & Products Opentelemetry
Opentelemetry opentelemetry-dotnet
Opentelemetry opentelemetry.api
Opentelemetry opentelemetry.extensions.propagators

Thu, 23 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3.
Title OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers
Weaknesses CWE-789
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Opentelemetry Opentelemetry Opentelemetry-dotnet Opentelemetry.api Opentelemetry.extensions.propagators
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T19:22:47.268Z

Reserved: 2026-04-15T16:37:22.766Z

Link: CVE-2026-40894

cve-icon Vulnrichment

Updated: 2026-04-23T19:22:42.774Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T19:17:28.810

Modified: 2026-04-28T19:34:26.253

Link: CVE-2026-40894

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T15:00:14Z

Weaknesses