Vulnerability Details CVE-2026-40894
OpenTelemetry dotnet is a dotnet telemetry framework. In OpenTelemetry.Api 0.5.0-beta.2 to 1.15.2 and OpenTelemetry.Extensions.Propagators 1.3.1 to 1.15.2, The implementation details of the baggage, B3 and Jaeger processing code in the OpenTelemetry.Api and OpenTelemetry.Extensions.Propagators NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. This vulnerability is fixed in 1.15.3.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 5.9%
CVSS Severity
CVSS v3 Score 5.3
References
- https://github.com/open-telemetry/opentelemetry-dotnet/pull/1048
- https://github.com/open-telemetry/opentelemetry-dotnet/pull/3244
- https://github.com/open-telemetry/opentelemetry-dotnet/pull/3309
- https://github.com/open-telemetry/opentelemetry-dotnet/pull/533
- https://github.com/open-telemetry/opentelemetry-dotnet/pull/7061
- https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-g94r-2vxg-569j
Products affected by CVE-2026-40894
-
cpe:2.3:a:opentelemetry:opentelemetry.api:0.5.0
-
cpe:2.3:a:opentelemetry:opentelemetry.api:0.6.0
-
cpe:2.3:a:opentelemetry:opentelemetry.api:0.7.0
-
cpe:2.3:a:opentelemetry:opentelemetry.api:0.8.0
-
cpe:2.3:a:opentelemetry:opentelemetry.api:1.0.0
-
cpe:2.3:a:opentelemetry:opentelemetry.api:1.0.1
-
cpe:2.3:a:opentelemetry:opentelemetry.api:1.1.0
-
cpe:2.3:a:opentelemetry:opentelemetry.api:1.10.0
-
cpe:2.3:a:opentelemetry:opentelemetry.api:1.11.0
-
cpe:2.3:a:opentelemetry:opentelemetry.api:1.11.1
-
cpe:2.3:a:opentelemetry:opentelemetry.api:1.11.2
-
cpe:2.3:a:opentelemetry:opentelemetry.api:1.12.0
-
cpe:2.3:a:opentelemetry:opentelemetry.api:1.13.0
-
cpe:2.3:a:opentelemetry:opentelemetry.api:1.13.1
-
cpe:2.3:a:opentelemetry:opentelemetry.api:1.14.0
-
cpe:2.3:a:opentelemetry:opentelemetry.api:1.15.0
-
cpe:2.3:a:opentelemetry:opentelemetry.api:1.15.1
-
cpe:2.3:a:opentelemetry:opentelemetry.api:1.15.2
-
cpe:2.3:a:opentelemetry:opentelemetry.api:1.2.0
-
cpe:2.3:a:opentelemetry:opentelemetry.api:1.3.0
-
cpe:2.3:a:opentelemetry:opentelemetry.api:1.4.0
-
cpe:2.3:a:opentelemetry:opentelemetry.api:1.5.0
-
cpe:2.3:a:opentelemetry:opentelemetry.api:1.5.1
-
cpe:2.3:a:opentelemetry:opentelemetry.api:1.6.0
-
cpe:2.3:a:opentelemetry:opentelemetry.api:1.7.0
-
cpe:2.3:a:opentelemetry:opentelemetry.api:1.8.0
-
cpe:2.3:a:opentelemetry:opentelemetry.api:1.8.1
-
cpe:2.3:a:opentelemetry:opentelemetry.api:1.9.0
-
cpe:2.3:a:opentelemetry:opentelemetry.extensions.propagators:1.10.0
-
cpe:2.3:a:opentelemetry:opentelemetry.extensions.propagators:1.11.0
-
cpe:2.3:a:opentelemetry:opentelemetry.extensions.propagators:1.11.1
-
cpe:2.3:a:opentelemetry:opentelemetry.extensions.propagators:1.11.2
-
cpe:2.3:a:opentelemetry:opentelemetry.extensions.propagators:1.12.0
-
cpe:2.3:a:opentelemetry:opentelemetry.extensions.propagators:1.13.0
-
cpe:2.3:a:opentelemetry:opentelemetry.extensions.propagators:1.13.1
-
cpe:2.3:a:opentelemetry:opentelemetry.extensions.propagators:1.14.0
-
cpe:2.3:a:opentelemetry:opentelemetry.extensions.propagators:1.15.0
-
cpe:2.3:a:opentelemetry:opentelemetry.extensions.propagators:1.15.1
-
cpe:2.3:a:opentelemetry:opentelemetry.extensions.propagators:1.15.2
-
cpe:2.3:a:opentelemetry:opentelemetry.extensions.propagators:1.4.0
-
cpe:2.3:a:opentelemetry:opentelemetry.extensions.propagators:1.5.0
-
cpe:2.3:a:opentelemetry:opentelemetry.extensions.propagators:1.5.1
-
cpe:2.3:a:opentelemetry:opentelemetry.extensions.propagators:1.6.0
-
cpe:2.3:a:opentelemetry:opentelemetry.extensions.propagators:1.7.0
-
cpe:2.3:a:opentelemetry:opentelemetry.extensions.propagators:1.8.0
-
cpe:2.3:a:opentelemetry:opentelemetry.extensions.propagators:1.8.1
-
cpe:2.3:a:opentelemetry:opentelemetry.extensions.propagators:1.9.0
-
cpe:2.3:a:opentelemetry:opentelemetry:0.5.0
-
cpe:2.3:a:opentelemetry:opentelemetry:0.6.0
-
cpe:2.3:a:opentelemetry:opentelemetry:0.7.0
-
cpe:2.3:a:opentelemetry:opentelemetry:0.8.0
-
cpe:2.3:a:opentelemetry:opentelemetry:1.0.0
-
cpe:2.3:a:opentelemetry:opentelemetry:1.0.1
-
cpe:2.3:a:opentelemetry:opentelemetry:1.1.0
-
cpe:2.3:a:opentelemetry:opentelemetry:1.10.0
-
cpe:2.3:a:opentelemetry:opentelemetry:1.11.0
-
cpe:2.3:a:opentelemetry:opentelemetry:1.11.1
-
cpe:2.3:a:opentelemetry:opentelemetry:1.11.2
-
cpe:2.3:a:opentelemetry:opentelemetry:1.12.0
-
cpe:2.3:a:opentelemetry:opentelemetry:1.13.0
-
cpe:2.3:a:opentelemetry:opentelemetry:1.13.1
-
cpe:2.3:a:opentelemetry:opentelemetry:1.14.0
-
cpe:2.3:a:opentelemetry:opentelemetry:1.15.0
-
cpe:2.3:a:opentelemetry:opentelemetry:1.15.1
-
cpe:2.3:a:opentelemetry:opentelemetry:1.15.2
-
cpe:2.3:a:opentelemetry:opentelemetry:1.2.0
-
cpe:2.3:a:opentelemetry:opentelemetry:1.3.0
-
cpe:2.3:a:opentelemetry:opentelemetry:1.3.1
-
cpe:2.3:a:opentelemetry:opentelemetry:1.3.2
-
cpe:2.3:a:opentelemetry:opentelemetry:1.4.0
-
cpe:2.3:a:opentelemetry:opentelemetry:1.5.0
-
cpe:2.3:a:opentelemetry:opentelemetry:1.5.1
-
cpe:2.3:a:opentelemetry:opentelemetry:1.6.0
-
cpe:2.3:a:opentelemetry:opentelemetry:1.7.0
-
cpe:2.3:a:opentelemetry:opentelemetry:1.8.0
-
cpe:2.3:a:opentelemetry:opentelemetry:1.8.1
-
cpe:2.3:a:opentelemetry:opentelemetry:1.9.0