{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40894", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T16:37:22.766Z", "datePublished": "2026-04-23T18:03:28.211Z", "dateUpdated": "2026-04-23T19:22:47.268Z"}, "containers": {"cna": {"title": "OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers", "problemTypes": [{"descriptions": [{"cweId": "CWE-789", "lang": "en", "description": "CWE-789: Memory Allocation with Excessive Size Value", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-g94r-2vxg-569j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-g94r-2vxg-569j"}, {"name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/1048", "tags": ["x_refsource_MISC"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/1048"}, {"name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3244", "tags": ["x_refsource_MISC"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3244"}, {"name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3309", "tags": ["x_refsource_MISC"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3309"}, {"name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/533", "tags": ["x_refsource_MISC"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/533"}, {"name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7061", "tags": ["x_refsource_MISC"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7061"}], "affected": [{"vendor": "open-telemetry", "product": "opentelemetry-dotnet", "versions": [{"version": ">= 0.5.0-beta.2, < 1.15.3", "status": "affected"}]}, {"vendor": "open-telemetry", "product": "OpenTelemetry.Api", "versions": [{"version": ">= 0.5.0-beta.2, < 1.15.3", "status": "affected"}]}, {"vendor": "open-telemetry", "product": "OpenTelemetry.Extensions.Propagators", "versions": [{"version": ">= 1.3.1, < 1.15.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T18:03:28.211Z"}, "descriptions": [{"lang": "en", "value": "OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3."}], "source": {"advisory": "GHSA-g94r-2vxg-569j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T19:22:40.530419Z", "id": "CVE-2026-40894", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T19:22:47.268Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40894", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-23T19:22:40.530419Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T19:22:42.774Z"}}], "cna": {"title": "OpenTelemetry dotnet: Excessive memory allocation when parsing OpenTelemetry propagation headers", "source": {"advisory": "GHSA-g94r-2vxg-569j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "open-telemetry", "product": "opentelemetry-dotnet", "versions": [{"status": "affected", "version": ">= 0.5.0-beta.2, < 1.15.3"}]}, {"vendor": "open-telemetry", "product": "OpenTelemetry.Api", "versions": [{"status": "affected", "version": ">= 0.5.0-beta.2, < 1.15.3"}]}, {"vendor": "open-telemetry", "product": "OpenTelemetry.Extensions.Propagators", "versions": [{"status": "affected", "version": ">= 1.3.1, < 1.15.3"}]}], "references": [{"url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-g94r-2vxg-569j", "name": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-g94r-2vxg-569j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/1048", "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/1048", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3244", "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3244", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3309", "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3309", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/533", "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/533", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7061", "name": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7061", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-789", "description": "CWE-789: Memory Allocation with Excessive Size Value"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-23T18:03:28.211Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40894", "state": "PUBLISHED", "dateUpdated": "2026-04-23T19:22:47.268Z", "dateReserved": "2026-04-15T16:37:22.766Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-23T18:03:28.211Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opentelemetry:opentelemetry:*:*:*:*:*:.net:*:*", "matchCriteriaId": "7CF8EB09-F7C5-49FA-BE45-15C9D6ACAE68", "versionEndExcluding": "1.15.3", "versionStartIncluding": "0.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:opentelemetry:opentelemetry.api:*:*:*:*:*:.net:*:*", "matchCriteriaId": "F4494846-0F47-4868-8315-76F82BA431CA", "versionEndExcluding": "1.15.3", "versionStartIncluding": "0.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:opentelemetry:opentelemetry.extensions.propagators:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD34268F-5D62-4ACF-9E83-22DA39B5B7F3", "versionEndExcluding": "1.15.3", "versionStartExcluding": "1.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3."}], "id": "CVE-2026-40894", "lastModified": "2026-04-28T19:34:26.253", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-23T19:17:28.810", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/1048"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3244"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/3309"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/533"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet/pull/7061"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Mitigation"], "url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-g94r-2vxg-569j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-789"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.5.0-beta.2,1.15.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "product": "opentelemetry-dotnet", "vendor": "opentelemetry"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.5.0-beta.2,1.15.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "product": "opentelemetry.api", "vendor": "opentelemetry"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.3.1,1.15.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "OpenTelemetry.Extensions.Propagators", "source": "cna", "vendor": "open-telemetry"}, "product": "opentelemetry.extensions.propagators", "vendor": "opentelemetry"}], "analysis": {"en": {"generated_at": "2026-04-28T14:48:29.048548+00:00", "value": {"mitigation_remediation": ["Upgrade OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators to version\u202f1.15.3 or newer.", "If upgrading is not possible immediately, configure the application to reject or limit OpenTelemetry propagation headers, preventing the processing of overly large or malicious headers.", "Apply rate limiting or request validation on incoming traffic to reduce the impact of any residual memory allocation attempts."], "summary": {"action": "Apply Patch", "impact": "Denial of Service via memory exhaustion"}, "threat_synthesis": {"affected_systems": "Vulnerable builds include OpenTelemetry.Api versions 0.5.0\u2011beta.2 through 1.15.2 and OpenTelemetry.Extensions.Propagators versions 1.3.1 through 1.15.2. Applications built against these NuGet packages could be exposed if they parse OpenTelemetry propagation headers. The issue is fixed in version 1.15.3 and later of both libraries.", "description_and_impact": "The vulnerability lies in the baggage, B3 and Jaeger header parsing logic of the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators libraries, where malformed or deliberately crafted propagation headers can trigger excessive memory allocation. This weakness falls under CWE-789\u202f\u2013\u00a0Memory\u202fExhaustion. Although the CVE description does not specify the exact attack vector, it is inferred that an attacker could send malicious OpenTelemetry headers to a .NET application that processes these headers, resulting in a denial of service when the application runs out of memory or becomes unresponsive.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate impact. The EPSS score of less than 1\u202f% suggests a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, if an application receives untrusted network traffic containing OpenTelemetry headers, an attacker could potentially trigger the excessive memory allocation, causing a local denial of service. Updating the library mitigates the issue."}}}}, "created": "2026-04-28T09:25:51.173653+00:00", "updated": "2026-04-28T15:00:14.492683+00:00", "vendors": ["opentelemetry", "opentelemetry$PRODUCT$opentelemetry-dotnet", "opentelemetry$PRODUCT$opentelemetry.api", "opentelemetry$PRODUCT$opentelemetry.extensions.propagators"]}