{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40891", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T16:37:22.766Z", "datePublished": "2026-04-23T17:54:36.033Z", "dateUpdated": "2026-04-23T18:23:08.858Z"}, "containers": {"cna": {"title": "OpenTelemetry dotnet: Unbounded `grpc-status-details-bin` parsing in OTLP/gRPC retry handling", "problemTypes": [{"descriptions": [{"cweId": "CWE-789", "lang": "en", "description": "CWE-789: Memory Allocation with Excessive Size Value", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-mr8r-92fq-pj8p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-mr8r-92fq-pj8p"}, {"name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/5980", "tags": ["x_refsource_MISC"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/5980"}, {"name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7064", "tags": ["x_refsource_MISC"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7064"}], "affected": [{"vendor": "open-telemetry", "product": "opentelemetry-dotnet", "versions": [{"version": ">= 1.13.1, < 1.15.3", "status": "affected"}]}, {"vendor": "open-telemetry", "product": "OpenTelemetry.Exporter.OpenTelemetryProtocol", "versions": [{"version": ">= 1.13.1, < 1.15.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T17:54:36.033Z"}, "descriptions": [{"lang": "en", "value": "OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry over gRPC using the OpenTelemetry Protocol (OTLP), the exporter may parse a server-provided grpc-status-details-bin trailer during retry handling. Prior to the fix, a malformed trailer could encode an extremely large length-delimited protobuf field which was used directly for allocation, allowing excessive memory allocation and potential denial of service (DoS). This vulnerability is fixed in 1.15.2."}], "source": {"advisory": "GHSA-mr8r-92fq-pj8p", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T18:22:43.489569Z", "id": "CVE-2026-40891", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T18:23:08.858Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40891", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-23T18:22:43.489569Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T18:22:55.571Z"}}], "cna": {"title": "OpenTelemetry dotnet: Unbounded `grpc-status-details-bin` parsing in OTLP/gRPC retry handling", "source": {"advisory": "GHSA-mr8r-92fq-pj8p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "open-telemetry", "product": "opentelemetry-dotnet", "versions": [{"status": "affected", "version": ">= 1.13.1, < 1.15.3"}]}, {"vendor": "open-telemetry", "product": "OpenTelemetry.Exporter.OpenTelemetryProtocol", "versions": [{"status": "affected", "version": ">= 1.13.1, < 1.15.3"}]}], "references": [{"url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-mr8r-92fq-pj8p", "name": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-mr8r-92fq-pj8p", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/5980", "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/5980", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7064", "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7064", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry over gRPC using the OpenTelemetry Protocol (OTLP), the exporter may parse a server-provided grpc-status-details-bin trailer during retry handling. Prior to the fix, a malformed trailer could encode an extremely large length-delimited protobuf field which was used directly for allocation, allowing excessive memory allocation and potential denial of service (DoS). This vulnerability is fixed in 1.15.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-789", "description": "CWE-789: Memory Allocation with Excessive Size Value"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T17:54:36.033Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40891", "state": "PUBLISHED", "dateUpdated": "2026-04-23T18:23:08.858Z", "dateReserved": "2026-04-15T16:37:22.766Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-23T17:54:36.033Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:.net:*:*", "matchCriteriaId": "9BACBB49-0AF7-4FB3-AAFB-1C9AB3E43F60", "versionEndExcluding": "1.15.3", "versionStartIncluding": "1.13.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenTelemetry dotnet is a dotnet telemetry framework. From 1.13.1 to before 1.15.2, When exporting telemetry over gRPC using the OpenTelemetry Protocol (OTLP), the exporter may parse a server-provided grpc-status-details-bin trailer during retry handling. Prior to the fix, a malformed trailer could encode an extremely large length-delimited protobuf field which was used directly for allocation, allowing excessive memory allocation and potential denial of service (DoS). This vulnerability is fixed in 1.15.2."}], "id": "CVE-2026-40891", "lastModified": "2026-04-29T14:15:05.133", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-23T18:16:28.483", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/5980"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7064"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Mitigation"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-mr8r-92fq-pj8p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-789"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.13.1,1.15.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "product": "opentelemetry-dotnet", "vendor": "opentelemetry"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.13.1,1.15.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "OpenTelemetry.Exporter.OpenTelemetryProtocol", "source": "cna", "vendor": "open-telemetry"}, "product": "opentelemetry.exporter.opentelemetryprotocol", "vendor": "opentelemetry"}], "analysis": {"en": {"generated_at": "2026-04-29T01:42:39.593161+00:00", "value": {"mitigation_remediation": ["Update the OpenTelemetry.Exporter.OpenTelemetryProtocol and opentelemetry\u2011dotnet packages to version 1.15.2 or later.", "If an immediate upgrade is not possible, disable or limit OTLP gRPC retry handling in the exporter configuration to avoid processing server trailers.", "Monitor the telemetry exporter for abnormal memory growth or crashes to detect potential exploitation attempts early."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Vendors affected include OpenTelemetry for .NET, specifically the OpenTelemetry.Exporter.OpenTelemetryProtocol and opentelemetry-dotnet packages. All versions from 1.13.1 through to just before 1.15.2 are vulnerable. The recommendation is to upgrade to 1.15.2 or newer.", "description_and_impact": "The flaw, characterized as CWE-789 Uncontrolled Memory Allocation, resides in the dotnet telemetry framework used for exporting telemetry via gRPC. Between releases 1.13.1 and just before 1.15.2, the exporter processes the server\u2011provided grpc\u2011status\u2011details\u2011bin trailer when a retry occurs. A malformed trailer can contain an extremely large length\u2011delimited protobuf field; that field\u2019s size is used directly to allocate memory. An attacker who can supply such a trailer can force the exporter to allocate an excessive amount of memory, exhausting system resources and causing the exporter process or the host to become unresponsive.", "risk_and_exploitability": "The CVSS base score is 5.3, indicating a moderate severity. The EPSS score is below 1%, suggesting a low probability of exploitation in the current period, and the vulnerability is not listed in the CISA KEV catalog. Attackers can likely exploit the weakness remotely by sending crafted grpc\u2011status\u2011details\u2011bin trailers during OTLP retry handling, as the failure occurs when parsing data received from a server over the network. Because the problem is triggered only during retry logic, an attacker must induce at least one retry and supply a malicious trailer to trigger the excessive allocation. It is a denial\u2011of\u2011service attack that disrupts availability."}}}}, "created": "2026-04-28T09:25:52.344039+00:00", "updated": "2026-04-29T01:45:26.033232+00:00", "vendors": ["opentelemetry", "opentelemetry$PRODUCT$opentelemetry-dotnet", "opentelemetry$PRODUCT$opentelemetry.exporter.opentelemetryprotocol"]}